Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127093 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 0D3C81A00BC for ; Fri, 11 Apr 2025 03:14:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1744341124; bh=8RW99yzrVA6e7Xi+fG2gQOUpDElE2yHAYekzW8gI3ic=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=gurz0cV5Tx6rLu75OWfNC19c6QIGLit0UsBB39EBVXixpQBTpORsDTxA4fud2dyBV u08UWvH8QDY+UDpyUi6WPAkcK+vVbaMZE/i4vnjXp4a8vL6dvSrsfoybblol4OoX5M sXPpyTG1zTFovowbGtnDNiawY2Dkz6UWjRsvNAIxHdMWUsVpHVdWABZZy4+JfIZ7NL 2PmqEdzPEymEqikL/iclotndgkVVFTlIrKayDUYM6q+uA5Dt8GZFKmk0t8uwi5HgxR GM9OeyPneWMfoR2PCAe+smTgFDoQMJQX3H8UQ9TgyPKn88r7RqJH7EGdSjO5gSjveM gHhvTG15+hP5A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 53E08180056 for ; Fri, 11 Apr 2025 03:12:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,DMARC_MISSING,SPF_HELO_NONE,SPF_NONE, T_FILL_THIS_FORM_SHORT autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from sender-of-o51.zoho.com.au (sender-of-o51.zoho.com.au [103.138.129.13]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 11 Apr 2025 03:11:59 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; t=1744341258; cv=none; d=zohomail.com.au; s=zohoarc; b=dSIXd2zPYjnDW3YjDOvP0XG20o+B9rojg3pvMwbQbvVTp7ovhKWbjzEC1BI4dV5PCEZ5c7o0qcGPJCqAQUFUABW4z+Pywz+cJxlYpLPo2HDuW1cdEevnDuQQhCRyd38hc7ND4CsPqviXM+Cv6xtoEqgAdfPXsVJMb3tX5SxiXVA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com.au; s=zohoarc; t=1744341258; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=RjkBYL6PPulyRMvkRtgF2VDnuxJclwNhYOkAwcLdRck=; b=yBFXMDzyKmDazhQCx/hmbuknJZegv/8ju2rQlvuONz2KG+H7BbmwLU7TWaWPuNIt0rDUSNKZkSk76tdeDMGkCt2RetQOvZYzO+nGpT4APkh/eIG3lx5IhW0Pdm7xjE1cEjNQNeiLOly2zvt4cJIca2Y4lhaYgCXIDVi+nui46rY= ARC-Authentication-Results: i=1; mx.zohomail.com.au; dkim=pass header.i=nicols.co.uk; spf=pass smtp.mailfrom=andrew@nicols.co.uk; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1744341258; s=zmail; d=nicols.co.uk; i=andrew@nicols.co.uk; h=MIME-Version:References:In-Reply-To:From:From:Date:Date:Message-ID:Subject:Subject:To:To:Cc:Cc:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=RjkBYL6PPulyRMvkRtgF2VDnuxJclwNhYOkAwcLdRck=; b=Dz8tqoJvftIVbTjdwLYoHZYr7YK0cat1J44QWZHyKtNpUs80cGnWdc1HGuV4Epok ryfQu19WkLWZY4Q0ypyuNAWdjCjegQUe/R4aKvnFaxlS1iZ9HQlq4VQTZOG2+LN3goK rTTkM+v2QaYBznizjDeD0ak44TH62dXF1Fv/pyc0= Received: by mx.zoho.com.au with SMTPS id 1744341255309471.151190524439; Fri, 11 Apr 2025 13:14:15 +1000 (AEST) Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-aaee2c5ee6eso237873566b.1 for ; Thu, 10 Apr 2025 20:14:14 -0700 (PDT) X-Gm-Message-State: AOJu0Yzy9UCum22KICgI4byj7csNaq/pz1oPK+c5U+f2wKWt9+o2zvNm +IUKmH5f5e7C1TuWi96TaM2fslnLJGpZZv6zxusA84dRdIoR1M+0G/wF/NiRLJl5kA4y8wuZlqz 1ZM5WD9majSbwVI2HN/MDDCAt8kk= X-Google-Smtp-Source: AGHT+IFmqFoDMDlDia+krljByNcztbmxctqfSoEi0To4bl4zRXzbEfkTmFMGvEWrYPCirApiaHdJHOfMG5jAVEO/0Og= X-Received: by 2002:a17:907:3d0e:b0:ac7:1c1a:d0f6 with SMTP id a640c23a62f3a-acad36a066cmr72338866b.37.1744341252403; Thu, 10 Apr 2025 20:14:12 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <2e02e8bd16ccd8f326a014fa3812da43@bastelstu.be> In-Reply-To: Date: Fri, 11 Apr 2025 11:14:00 +0800 X-Gmail-Original-Message-ID: X-Gm-Features: ATxdqUGbZvcTqSVH8wnEISqaXEPl2jUuroK5GR5MD-c2BK_4DCsxLHGCwwqkDgY Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting To: Larry Garfield Cc: php internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External From: andrew@nicols.co.uk (Andrew Lyons) > > Full agreement with Tim here - make PHP friendly to development. Generally I do agree with this sentiment. Languages should be developer-friendly, but not at the expense of safety. Developers are able to configure an INI setting in multiple ways including modifying an ini file, using the `ini_set()` method, and SAPI configuration. We cannot assume that every installation of every PHP webapp out there is managed by someone who knows, and understands, the risks of every INI setting. > > There are only few places where secrets would be actually relevant, and > > those can be covered by #[SensitiveParameter]. > I tend to agree as well. #[SensitiveParameter] is the better solution in= the 95% case. If there are libraries still not using it (as the RFC sugge= sts), those should have bugs (or preferably patches) filed against them. > > The great thing about attributes is they're intrinsically backward compat= ible, so there's no meaningful cost to adding/patching liberally. While I agree that #[SensitiveParameter] is a nice idea, I believe it=E2=80=99s currently insufficient in both implementation and adoption to = be relied on as the primary means of protecting sensitive data. Firstly it isn't only a few places where secrets are relevant. People have different views of what should be considered Sensitive. For example, under EU regulations anything which contains any Personally Identifiable Information (PII) should be considered sensitive, that includes first and last name, e-mail address, phone number, IP address, and so on. As developers we may not agree, but a stack trace which was displayed and included some of this information technically needs to be declared to the data commissioner in the EU within 72 hours (https://www.edps.europa.eu/data-protection/our-role-supervisor/perso= nal-data-breach_en). Secondly you cannot apply the #[SensitiveParameter] attribute to object properties. If you have an object which contains any passwords or PII, then you have to declare anywhere that you receive that object in a parameter with the #[SensitiveParameter] attribute. In many projects that is a huge number of methods - for example anywhere you format a string _might_ be passed a string which contains PII and therefore that would arguably need to have the attribute. In the case of libraries like Guzzle where any Request may contain a credential then the entire Request object must be declared sensitive at every usage. Thirdly, if you pass additional parameters to a function/method there is no way to apply this attribute (https://3v4l.org/8lBso#v8.4.6). I'm sure there is still plenty of code out there which makes use of `func_get_args()` instead of variadic arguments. There are still libraries out there which insist on supporting ancient versions of PHP which don't support variadic arguments so there is no way to set these as Sensitive. Even massive and well-supported libraries like the AWS-SDK still use `func_get_args()` in places like their TokenProvider. While you're correct that it is backwards compatible (and I agree that this is a fantastic feature of attributes), it is not widely used. Taking a look at some of the most popular libraries around, many don't have a single instance of it when arguably they will be passing around lots of sensitive information, for example: - aws-sdk-php only uses the SensitiveParameter in unit tests but it accepts credentials in a variety of places - Monolog has no uses of it, but is almost certainly going to be passed around PII, Tokens, Session IDs, etc. - Guzzle has no uses of it, but again it will almost certainly be passed credentials, tokens, etc. (e.g. for authentication) These are all widely used, well-maintained projects, and yet offer none of the apparent protection from the attribute. While the attribute is backwards compatible, the process of identifying appropriate usage and contributing patches can carry a non-trivial cost to identify possible uses, create a patch, and go through any pull request review processes. Different groups have different views on what should be considered Sensitive, so it is also likely to get caught up in any reviews for discussion.