Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118498 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 56928 invoked from network); 26 Aug 2022 09:48:00 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Aug 2022 09:48:00 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 494D31804B5 for ; Fri, 26 Aug 2022 02:48:00 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 26 Aug 2022 02:47:59 -0700 (PDT) Received: by mail-vs1-f52.google.com with SMTP id w188so1117485vsb.10 for ; Fri, 26 Aug 2022 02:47:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc; bh=4JVw3djI7KzUlauGMslMQQk56bO9lX9BRBmteTKidzk=; b=RO4Duwd8+I/Esem2SXfqn/rpRxjR8H5dMNqj3HaGzQmXS31WdJ98dKTd0HE+E7PlCZ xK6auslFbRmrEjTDRLp4bb0gRSUPWtOgWNejkAGXJRAajIVrafJ/mkYCvVG4kMUX8iPW i7brkZpfFelEp6k7pxr58atJ6PHbBZW0W2V0+nk90z+xLCZYpo56NWZT+8KW6ZTuPewe mVWfc5Vr2rIB91F7lrEB6s8zQ5km5ZIdqmtycVvcXEYxSvDSbkvxVqa4IrOVWCyuWEM/ cN61HchZUhc92Q+vmkm8d473k69RJ2BxCBeeunf3bLCeUII9/Z6u9WOVHnXYaBt3+NmG kpvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc; bh=4JVw3djI7KzUlauGMslMQQk56bO9lX9BRBmteTKidzk=; b=KphNNkhKkF48q5vubKSHncc8i+6WdZBpGicqej8DUIzOfeSKtyrBwKnUmad+hGn0vr FajQ/HRtse6pOLQGgI6esCAV6wuUJy32M0Pes2KmMwvh0M43JdOCp6zcY29wsPorAGYN VgIyHBIHxzRSoCJ1tnUsmb0eYSw7/XDmTgq3L5mfw5107RihmFI//DoPN73H9UFszHJy wzIQWhizMIQf+pIuAEig9i3BpAcPYLwdhr2znwZZE0GS0ue/BW0/UrdFyK+LDTzTfJ8q rHGqmcStEeKedIz633/rrhOMQiA6pm+aLAen9pQZOeqDkQh/GatFLffd3AFj1FhVHW4R 8YBQ== X-Gm-Message-State: ACgBeo01IOvTggEw4djAWuCK4sY+2vDOLe/RWnO8tPF+uYzdA4W4Hzux FjmGFaof9POWsOO/9bSXBwIjBKu0sZjGQnbzr4I= X-Google-Smtp-Source: AA6agR6LyHo4alFXR9UJyWbiAWkeCRQDHrYFtH8xiNu/Zkc/2dy4KhB+MmYZmBO62UpWjjAUEXxil+Tmv4NCcGNytOQ= X-Received: by 2002:a67:d317:0:b0:390:462c:2dd1 with SMTP id a23-20020a67d317000000b00390462c2dd1mr2929893vsj.17.1661507279380; Fri, 26 Aug 2022 02:47:59 -0700 (PDT) MIME-Version: 1.0 References: <8D53AD5B-7CFC-4820-9EE4-FEB365D327A8@woofle.net> <3d436bc3-2a4b-8267-8dae-a45c51dcb5b2@gmx.net> In-Reply-To: <3d436bc3-2a4b-8267-8dae-a45c51dcb5b2@gmx.net> Date: Fri, 26 Aug 2022 11:47:48 +0200 Message-ID: To: Andreas Leathley Cc: PHP Internals List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC json_validate() - status: Under Discussion From: dev.juan.morales@gmail.com (juan carlos morales) El vie, 26 ago 2022 a las 11:43, Andreas Leathley () escribi=C3=B3: > > On 26.08.22 11:00, Micha=C5=82 Marcin Brzuchalski wrote: > > There is already a way to validate XML in PHP, and Yaml or PHP is > something within the control of a PHP programmer, while JSON is mostly > used as a format for communication in APIs, so you never know what you > get. If with a new function it becomes much easier to defend against a > Denial-of-Service attack for some parts of a JSON API, then this can be > a good addition just for security reasons. > > But this reason, which most resonates with me, is currently missing in > the RFC, so I would suggest to add that fast / efficient validation of a > common communication format reduces the attack surface for > Denial-of-Service attacks. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > For sure I will add this. Thanks a lot !!!!!! That is exactly why we are having this discussion. Once again, Thanks! RFC: https://wiki.php.net/rfc/json_validate Implementation: https://github.com/php/php-src/pull/9399