Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118496 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 54155 invoked from network); 26 Aug 2022 09:43:31 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Aug 2022 09:43:31 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 959C0180547 for ; Fri, 26 Aug 2022 02:43:29 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 212.227.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 26 Aug 2022 02:43:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1661507004; bh=SLl9tXeHEXMnlNj/8iCOWB7rHjNQ/u4c1f4jB8jv7A0=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=TPHUozTq2yfv6hEYuXZJuosGFHP/wltJVhhdc2V/Fvca88TH5d2dpvGo+l1UMqdKu A04gUQrP9um1aJKLeUZHT7QoyUWD2f5ldT1iuHlg/mt+bYZRteDPQ3BBtAuEBgCu/O eI5PcjHN7zidlfcEzWYZjtUXi9gxmEovWSs5Cnsg= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.50.96] ([91.138.46.132]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M1psI-1oPK0i0etM-002FYv for ; Fri, 26 Aug 2022 11:43:24 +0200 Message-ID: <3d436bc3-2a4b-8267-8dae-a45c51dcb5b2@gmx.net> Date: Fri, 26 Aug 2022 11:43:23 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Content-Language: en-US To: internals@lists.php.net References: <8D53AD5B-7CFC-4820-9EE4-FEB365D327A8@woofle.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:hI2+ldV43qV26xug7UJmfn+C6ULzy6IuyEjFifM8FekHrLmx+/Z ZFLkTLvYv2IJ1oHlrNktGTPU4izwCLuVCJPih30huK3Qh+aam8vaWhmPr6ofVA9nc6+ZJts 4Uuc8eDlYOUHVFS89uGuRF8D3QJ25/DeWkfEKMkA512/QI96ZBG1riq5Zt5TWag9uUoRthc KD22D0nCAl8D418Eg+A4A== X-UI-Out-Filterresults: notjunk:1;V03:K0:32OwI54y0R4=:aB48PZgI1zD1gFGLtTgdcF 9O9Yzis79SFbW7PHY8emT1MZYO1Iaw0OxBXv59IKBnbXrcTexMjWEUUcqpd57IR+ztYSSoNx5 faDswl/PWXt6sVdmq3P1vtukXXwmf9oidcFwfrUkVPVcoN08Jh2R/m6K0mMZZHFohb6W6vCRi aCZYF3LY3GgoR+srDtFFHkH+AdwHKQhAO2Q2UPCp6BYZAu5ZtXy5LOFZurMrFhnGgI+GyCwF5 AAM4K/R6uMP8O4QJabwvwvhRC6Fa6Vfas5Tx2V/+aGy580rtSyrUCLlKgdddjDlhWzzgFabux PkUoecpXR8NF0OlKoxEqAzA7g5k8kNXMvCG3P7uJB4diwPNLiZOZP5DpMbKGzI0qxTVhVIMLV EtxHaA0VPKnQzEOuIg4LRd70jsiH+g4/Vw48+eukN/+YcTqjLc8wNF8r2yZi+/1FY9Tp2rD2j K9nM5fHCABy703WhpjuoQP1dzbnJ1NkKDRyXANpM+w4v80Uu/suwSWRtAQY+4Wb8ncJcjqsSd t+FyhHQyRgH2By3nE257WbcfpfJ7x0li2wF1rLTz9G3qtFnQzqT8+EIUdeiCQdiQmLw2QJWf5 UskKEmIZQlrCTKDByQR72stkoQRkj70eo/x0P34OBgDBN+Pzfq66c8hHzZviseEX501//h2M2 Ra9CeR6N+FNnfcMR+3TEudLKa8KehA7mlaOfapmw6ZpQTlsGaDt8RSy2nfrJbCxslk2+oJjTD YiXvgNMJ4xnQif99uPGoHmcJc1WtQxT/5+bMuze5PjgWwKFm1ylU+VzZV/rxCHK0YENcbBvUa phftpvqVVLZAYxp9hzNmXNBxcZsSQ9cTPXy4CJSffC4h1lzWohtxYKQ/tgDt6a1MVdncKeEpe bKNf9uyuaJJUIMUN6GBhGrB9jEcBQ2mxYJDOAXGV1JuCM9yeyY+WO6GMVryC6iYSE8ofaPaZu R7FJ9HeSajRQLuotBhQyOezEcMVuYNCwS3AFBNA2GTxkRBLsSwRz1KbXJHz8BLv8vKsBAFwLE CNYrj3/BQsJ9/u+DIUDoMZAMaSyTufaJERJS2QUa4cKUmaZ5yqBR/iZMyRp8zlHRvDzHRaO0a Ap9DKTbbI7Ofcg3+vNm7BVIvQL8ZWJqbTKirWxyP9v1wdsb7/lVtB0dgPSWITVy8NFrBhbwfZ 4zJ7ncIUPcJDEaNe3VQU5YDFqimiGE/La1ao3LpyfF9rs8UcAw8MkDqMygpz0ZgANN2IU= Subject: Re: [PHP-DEV] RFC json_validate() - status: Under Discussion From: a.leathley@gmx.net (Andreas Leathley) On 26.08.22 11:00, Micha=C5=82 Marcin Brzuchalski wrote: > A `json_decode()` is a substitute that IMO solves 99% of use cases. > If I'd follow your logic and accept every small addition that handles 1%= of > use cases, somebody will raise another RFC > for simplexml_validate_string or yaml_validate and the next > PhpToken::validate. > All above can be valid if we trust that people normally validate 300MB > payloads to do nothing if they DON'T fail and there is nothing strange > about that. There is already a way to validate XML in PHP, and Yaml or PHP is something within the control of a PHP programmer, while JSON is mostly used as a format for communication in APIs, so you never know what you get. If with a new function it becomes much easier to defend against a Denial-of-Service attack for some parts of a JSON API, then this can be a good addition just for security reasons. But this reason, which most resonates with me, is currently missing in the RFC, so I would suggest to add that fast / efficient validation of a common communication format reduces the attack surface for Denial-of-Service attacks.