Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121204
Return-Path: <larry@garfieldtech.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62981 invoked from network); 1 Oct 2023 15:43:33 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Oct 2023 15:43:33 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 494EC18005C
	for <internals@lists.php.net>; Sun,  1 Oct 2023 08:43:31 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS19151 66.111.4.0/24
X-Spam-Virus: No
X-Envelope-From: <larry@garfieldtech.com>
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  1 Oct 2023 08:43:30 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.nyi.internal (Postfix) with ESMTP id 0F5D25C2C0C
	for <internals@lists.php.net>; Sun,  1 Oct 2023 11:43:30 -0400 (EDT)
Received: from imap50 ([10.202.2.100])
  by compute4.internal (MEProxy); Sun, 01 Oct 2023 11:43:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	garfieldtech.com; h=cc:content-type:content-type:date:date:from
	:from:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:sender:subject:subject:to:to; s=fm2; t=1696175010; x=
	1696261410; bh=fzZMVXUf1BO/VRfEsULUCbNWrHIo2dY8LOLHCZfGpj8=; b=f
	EQvqf9A71EOdNUJQrbex/NJiRr/sN8C8CTh+qEUEJMLpTj1Dj/aTLo+P5iQJgIQb
	wtpr4BNhvi92mDeQhE0pdJGoY6WD3R1x1efDz9fXmFjAvCwJd4lRP+ztpRd9A2/a
	JgCQ5V2AmdTaE+ELoHEG9MKC+dZVD77cR1viwcwnvCyffLNVyT1KlqQ3CamWF0cN
	OErjaotVRyaTn4LT5Hsze+7UQrtGfZbFGS9JJ7UzMV54A9Vu8FXIYWRlbYNk8wEi
	CZ0hwxdao5nde8SsoOKqNz0552ljidAWhmqcVA2QVkLJTAmDyt/LcJtwFZNQhjtT
	NyyXD/MM5jxJNps9GFbww==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm2; t=1696175010; x=1696261410; bh=fzZMVXUf1BO/V
	RfEsULUCbNWrHIo2dY8LOLHCZfGpj8=; b=WgnupxHCUabgYQ7/H5dnpYXek3NqL
	16ekJzM9Ll2UP9iSduE8/mVGd87EDzVSVVqQX2lmbGDC5mF4Atai7QHsjhtFmzAJ
	Iha2Uh6+ERltXrYynXphU0Tw+wfL+d49lwcVzH7BZSoK69vKmsXEqrol1nfS7HB0
	5QXPjFbkPovbMI4J8j7Fsf6IBL3HuEFZwDFzDPfq0D3FNqR7usoByNKNU67fTSso
	TzZNdY+tWma5PmP4vNlijguNter/ZOS2k0loJ2TxBumo9jsiEL2NqosNjJ1rZ1iC
	NWhwAtDAbaR6J8uuAtntJwia9DHpCKuT2EdslOUP6l0jEnULANxifrO8w==
X-ME-Sender: <xms:oZMZZVFAP4BGSeXEzpz5tZzbYw-pAL4e6eDPicvlmBKOV8FyQM03fw>
    <xme:oZMZZaVEWT8T2up_m7qtgU141GxWQ8S7Wg26AN2BgF6BqXTfc7IVT_KITDjviQ5xD
    n8EHEg8PLbQww>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvddvgddtudcutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
    fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfnfgrrhhr
    hicuifgrrhhfihgvlhgufdcuoehlrghrrhihsehgrghrfhhivghlughtvggthhdrtghomh
    eqnecuggftrfgrthhtvghrnhepveehhedvveejledvvefgleevffdtjeekledvkeegheff
    gfeivdejhffhledtudetnecuffhomhgrihhnpehphhhprdhnvghtnecuvehluhhsthgvrh
    fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgrrhhrhiesghgrrhhfihgv
    lhguthgvtghhrdgtohhm
X-ME-Proxy: <xmx:oZMZZXLQKoIqPSx919CznuEF49iK01wsGUK8U6yvRIeWagq-jqNZbA>
    <xmx:oZMZZbGYfC1dh0Uvg4AargiyS7w0I809A7I-JRDFWch3H7O2qxkYog>
    <xmx:oZMZZbXNq8ydirngundIxfxe1Ow3KydMAY92UcjeeXFYF4TzM1vBmw>
    <xmx:opMZZYV9iNITOuJ6x8Qc4mVfceyOBnGaYjcBfZgP2Gc0K4TOzdactw>
Feedback-ID: i8414410d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 969BF1700089; Sun,  1 Oct 2023 11:43:29 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-958-g1b1b911df8-fm-20230927.002-g1b1b911d
MIME-Version: 1.0
Message-ID: <71481f6e-6afc-425f-8d7c-ded84fc79e1b@app.fastmail.com>
In-Reply-To: <c1e56578-e3da-4814-94f9-74af139721bd@gmail.com>
References: <c1e56578-e3da-4814-94f9-74af139721bd@gmail.com>
Date: Sun, 01 Oct 2023 10:43:08 -0500
To: "php internals" <internals@lists.php.net>
Content-Type: text/plain
Subject: Re: [PHP-DEV] XSLTProcessor max depth
From: larry@garfieldtech.com ("Larry Garfield")

On Sat, Sep 30, 2023, at 10:18 AM, Niels Dossche wrote:
> Hi internals
>
> I'm looking to address https://bugs.php.net/bug.php?id=71571.
> TL;DR: XSL has a maximum recursion depth, and it may even depend on the 
> distro/OS config.
> For complex inputs you may reach this limit, but PHP offers no way to 
> change that limit.
>
> As we already have methods in XSLTProcessor to configure certain things 
> (e.g. setProfiling, setSecurityPrefs), it may be an idea to add 
> `setMaxDepth(int $depth)` or something alike.
>
> Unfortunately, XSLTProcessor is non-final, so if a user class extends 
> this class and coincidentally already has a method with the same name 
> but incompatible signature, then they would get a compile error.
>
> What do you think?
>
> Kind regards
> Niels


In context, I cannot imagine why someone would have a setMaxDepth() method with that name, since, AIUI, they wouldn't be able to actually set the max depth.  So I think the chances of there being a conflict are extremely remote, and an acceptable risk.

This could be verified by doing a "top packages" scan using Nikita's script, which is probably a good step anyway.

--Larry Garfield