Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125285 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 0634D1A00BD for ; Mon, 26 Aug 2024 18:39:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1724697710; bh=6MHL9z+b92cFrPaRl9FYUlGSwws4xlEG3S+CSUtn9m0=; h=Date:Subject:To:References:From:In-Reply-To:From; b=RNKhEySHzs2yBCgrkO0VdPqJsbg8RJj8NPt1MkSXbUOA3Ee02viziPRi//e5VCfp5 T3/ieMm+meoFO8PKE8wv0Mn7AMcFwsVh3s+36u8VMOrlM7I0MKa86/mrPWhQKyVBJ2 UXDp4TsHflNBQN08SfBnjgsYbNm1qFC2ZS4qyDUqNYopWkKdk0rb5p/ly3nqzcHMdl txhBoPZAINVJjZByBAK37Bp9BaAJzs8zeZI5J7yXVfC+Z5y8lXWFehEEPwVPqe9y0I dIWvHFAC1IE7ezkS6L2DLFsO8oJYwPoadRLoeZbClFAB7fYu3db9WA0/o/lA/HGQeq X9GCIRTrLbNrw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A6247180059 for ; Mon, 26 Aug 2024 18:41:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DMARC_MISSING,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 26 Aug 2024 18:41:49 +0000 (UTC) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-429d2d7be1eso25069775e9.1 for ; Mon, 26 Aug 2024 11:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scriptfusion-com.20230601.gappssmtp.com; s=20230601; t=1724697595; x=1725302395; darn=lists.php.net; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=qdGW0RCOTCAqngtoGQxgWRkmruEF0RllT3X0x1UJhXw=; b=OYUz3uFrj3FyyNPEZ38DVfLbFzQEhL+EaRJIT8p4UyXx/BdqL+RlME26nt7zgvSV7+ c14UR0BbwjtOdTH05tGbmAj0SeV4t9zLaDKf+faO0Q0EouGj1vE6rNYn7ABISu5sAfkT zq6Img/bn3lvIPFAPxyDkg2Ypo16bsX9oZr+o+mZzoBwDw+hqmsXXB2QnIWVu2+KJkkp eUOQMzgyClC9o0RMT4Vlnx1/QgVtAlp5BkHt4jZp77MdtlkYTd1AvGloGlYn4ih6YkdV 3WfptXr3/RQ0bjBz6J0AE6byJN2JvOMal/jqmXmI+635oeYDBofWDK9JSO2BPmN8xRju mi4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724697595; x=1725302395; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=qdGW0RCOTCAqngtoGQxgWRkmruEF0RllT3X0x1UJhXw=; b=aKCICIUxe2L2UTo2Nlx/AWOvdfQM8ew9UhT/0gxkHnhGiEHtJpUVcjRo9GhwX+ZBNq Q/lKoa42mp6zFdCNhJgbauRr6o7OQYU3iN5QmhehS00IlWEnwNURLyDvsOcyiYIQXNWD p0P/R3GANlYiZq4xJdzTrw6wGPdbTjiorG66acgLDBe+SyYW7EYWD68pZbfIfx3ruwg/ 8VKel6rrzZyISFwfgnTt685F0n4NYKapasU6+3Zmz+a1Ve2VEq/AzSXeJa/N5a+8HkxL 98rBI3BuUc0KhqBAAC+obXjTJ5uTznvfLkCz50NQyjQwUMW4knlrltRnD+T2bNtAkt6H C4pQ== X-Gm-Message-State: AOJu0YxRPxEsri1IQ5asQa5V5P7ZbIGDRlT/kxUfc6C42OlCXACylSNM S9hIutnnrqb/Jyqq4hlYNRqo1rg3TIBtiCKxQ0LxM0WWpEKyCj03nM9QkUdvVQHEPb2EG4nSZmx 4 X-Google-Smtp-Source: AGHT+IGBE26es8v+mh5wZieeDBM+gV9WSEJZtPYX7k0m6petoL3jcLJ6aocg/vLgqtt/BP0G5+kAkA== X-Received: by 2002:a05:600c:3549:b0:42a:a92b:8e06 with SMTP id 5b1f17b1804b1-42b9a44c64amr3491715e9.4.1724697594767; Mon, 26 Aug 2024 11:39:54 -0700 (PDT) Received: from ?IPV6:2a01:4b00:bf09:5101:f1f9:cef9:e305:d7f2? ([2a01:4b00:bf09:5101:f1f9:cef9:e305:d7f2]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-42ab6e7c8e6sm187180245e9.0.2024.08.26.11.39.54 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Aug 2024 11:39:54 -0700 (PDT) Content-Type: multipart/alternative; boundary="------------qoSYRzYofZ17SuENyaf0kt7X" Message-ID: <1c2cb0d4-ecf2-41c7-9f31-e90f1bee3805@scriptfusion.com> Date: Mon, 26 Aug 2024 19:39:52 +0100 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] Default expression To: internals@lists.php.net References: <0c8ed5d6-5507-4c41-8d7f-05d14ba8aa4c@scriptfusion.com> <0cfd3a28-3cb0-4478-85fb-cf086d8e5c66@app.fastmail.com> <3e0d031e-256f-47cd-9a2b-dcdc760f5498@scriptfusion.com> <6afeb23a-867f-457d-9b13-fdf5af02c31e@scriptfusion.com> <928d6c8c-c969-4d55-82ff-5da8fc3d3035@scriptfusion.com> <73301950-03e7-4f3c-9fab-402645f77272@gmx.de> Content-Language: en-GB In-Reply-To: From: bilge@scriptfusion.com (Bilge) This is a multi-part message in MIME format. --------------qoSYRzYofZ17SuENyaf0kt7X Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 26/08/2024 19:11, Matthew Weier O'Phinney wrote: > > > On Mon, Aug 26, 2024, 12:02 PM Larry Garfield > wrote: > > I recognize that "limiting the allowed expression structures > arbitrarily is way harder than it sounds" is a valid argument as > well.  At the same time, John C has offered some valid examples of > cases where it would open up additional footguns, and we want to > minimize those in general.  Those shouldn't be ignored, either. > This seems like a valid and balanced position from Larry. > > IF it's possible to accomplish, I think it's better to identify the > "leaving this open will create WTF situations" than to prematurely > lock _everything_ down up front. > > There's been a few good lists about the cool things this could enable, > demonstrating the value; maybe now we should focus on the "we > absolutely shouldn't enable" pieces to allow for broader consensus. I like this approach. I'm still not sure I'd want to pursue adding exclusions, but if we can identify something that's obviously bad and/or dangerous then we can consider that short list for exclusion. That is much more compelling than starting out by banning everything and arbitrarily whitelisting those things someone personally has a use for. Cheers, Bilge --------------qoSYRzYofZ17SuENyaf0kt7X Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
On 26/08/2024 19:11, Matthew Weier O'Phinney wrote:


On Mon, Aug 26, 2024, 12:02 PM Larry Garfield <larry@garfieldtech.com> wrote:

I recognize that "limiting the allowed expression structures arbitrarily is way harder than it sounds" is a valid argument as well.  At the same time, John C has offered some valid examples of cases where it would open up additional footguns, and we want to minimize those in general.  Those shouldn't be ignored, either.
This seems like a valid and balanced position from Larry.

IF it's possible to accomplish, I think it's better to identify the "leaving this open will create WTF situations" than to prematurely lock _everything_ down up front. 

There's been a few good lists about the cool things this could enable, demonstrating the value; maybe now we should focus on the "we absolutely shouldn't enable" pieces to allow for broader consensus.

I like this approach. I'm still not sure I'd want to pursue adding exclusions, but if we can identify something that's obviously bad and/or dangerous then we can consider that short list for exclusion. That is much more compelling than starting out by banning everything and arbitrarily whitelisting those things someone personally has a use for.

Cheers,
Bilge

--------------qoSYRzYofZ17SuENyaf0kt7X--