Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118148
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63752 invoked from network); 1 Jul 2022 08:15:41 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Jul 2022 08:15:41 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 7B984180546
	for <internals@lists.php.net>; Fri,  1 Jul 2022 03:07:25 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  1 Jul 2022 03:07:25 -0700 (PDT)
Received: by mail-wr1-f47.google.com with SMTP id i1so2439583wrb.11
        for <internals@lists.php.net>; Fri, 01 Jul 2022 03:07:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=z+ZFM7GRlqBLJJLNk9YOwvxLDmOpb9ox6e5ZtfUI//c=;
        b=IZ+LS6w9mjbUiUnIt8I5ONxcJuCoy2txDo8lTSNvTWu7xgniK1SC2xlUz6QVIhXf2h
         2ZjgopdVX0C8x+Karbtbmm9PIO63MArJrgjZ23G/C3uRd4qef9TMyJ23+xBTiASoG9Ar
         WphVuFlKgE3gNnYORLnbrnynSzVemHoGBsfHa0TYsZRXlcvTJapoWBgkwW19sadjPwSl
         v+Csc0S37MIIJEl3Iz1dyf6OK+Yvzy4j5zHoOQ4SXM2uWOVf5i4Pg6Zwt3w7LxUAqTm/
         5Ec97b/2WxRMTrZwdavSQpa4fiG3XWURyL96F4K53ejsLd/UqI1CI6WBUTbb1dSdV6LS
         kvWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=z+ZFM7GRlqBLJJLNk9YOwvxLDmOpb9ox6e5ZtfUI//c=;
        b=6994yMIj49X3ldNHIr12MGAA3f/Rk/mX269s+pznu1iyY7IeTvMXlQQORTx5v7wuSl
         zUTAhiOvvcNg+7EN3wTxmp7eR+VeCrJxDSLtIs0fGiNvnqQnI7xASDXBjM1B5US5IupP
         IYlevHJdjXiDDH8PHnj5VkZ7+8Z88B1JPLlYqqslwJBtQA25Hg9l2kRYtx03pDNhHZZ5
         EO6OsRo3Ss1uD5Web2OwWfYMtGylMXqAHrR17Nk2doLrzJROAzT/fhvXjvNVqH7SivpQ
         uSRUUqwhkzpv+jmU4Xm883zn7CB1dZAEHlHbanOIda7dFHbXLIyxdTcYWzkndhC4BF5g
         ax3A==
X-Gm-Message-State: AJIora8wUQrAoXm/tS5f0uBB0rcP3uVKuE2WXiWCAERR6vZDU23rnTo6
	L2/U0kHCxyAWCdmDl/gYGG4WLeyPo4avCCWcXuF0Hmam
X-Google-Smtp-Source: AGRyM1tVeJv7UiKv4mT+cwpGpdTFN0tYkX/UluBWtGpMcnjqOuH/2upvsJmZVtjvgpTDbGiJpxkCQed1vA8ilHqt6mw=
X-Received: by 2002:adf:ec82:0:b0:21d:20a1:3f6b with SMTP id
 z2-20020adfec82000000b0021d20a13f6bmr12812396wrn.394.1656670043921; Fri, 01
 Jul 2022 03:07:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAOfKkdTjPiZHnSHuag_+fmFK-1Advh2-vfDgbJBXEmK=72NB0g@mail.gmail.com>
 <7CB0EB0B-700D-49F6-8223-00A9B16F463B@php.net> <CAOfKkdQJUww10XkdcPx9AvAe=w=T8mS1MW6oJ=itzLp4x7L1jA@mail.gmail.com>
 <CAAKU0u=hatp+7LRKAjtdWkP3_zgu1ddNmDvLTrJ46CwS-YUXKQ@mail.gmail.com>
In-Reply-To: <CAAKU0u=hatp+7LRKAjtdWkP3_zgu1ddNmDvLTrJ46CwS-YUXKQ@mail.gmail.com>
Date: Fri, 1 Jul 2022 11:07:11 +0100
Message-ID: <CALKiJKroRK6K2DTj6c7jYQf32DH+=vigq0a8TargKVu6VY0ikQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000007a64b805e2bb8d20"
Subject: Re: [PHP-DEV] [RFC] [Under Discussion] New Curl URL API
From: rowan.collins@gmail.com (Rowan Tommins)

--0000000000007a64b805e2bb8d20
Content-Type: text/plain; charset="UTF-8"

On Thu, 30 Jun 2022 at 23:21, Levi Morrison via internals <
internals@lists.php.net> wrote:

> On Thu, Jun 30, 2022 at 10:48 AM Pierrick Charron <pierrick@php.net>
> wrote:
> > One of the goal of this API is to tighten a problematic vulnerable area
> > for applications where the URL parser library would believe one thing
> > and libcurl another. This could and has sometimes led to security
> > problems.
>
> Designing another API on top of what libcurl provides _could make the
> problem worse_.



My concern is rather the opposite: if it is not obvious *to someone writing
PHP code* how the API should be used, there is a higher chance of them
using it incorrectly, and introducing errors.

A good example of this mindset is the password_* functions: they do not
expose the options of underlying implementations, they present an
easy-to-use *opinionated* set of behaviours, that solves a common use case
for their audience. They allow users to "fall into the pit of success",
because the easy thing is also the correct thing.

However, to me at least, it's not entirely clear who the target audience
for this API is, what tasks it should be making easy, and what correct
usage looks like. Just providing a bunch of functions, in whatever form,
doesn't provide security unless users can understand how to use them
securely.

Regards,
-- 
Rowan Tommins
[IMSoP]

--0000000000007a64b805e2bb8d20--