Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127247 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id C14541A00BC for ; Wed, 30 Apr 2025 07:58:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1745999760; bh=o6SiUgVCbebdUrznpN1QfTbeMjn9IhmUnzmI9+PvW10=; h=References:In-Reply-To:From:Date:Subject:To:From; b=HP2kaXuUP39zU08lIap3TWvjiY4R2QaVBiMlxFZoPzgJXMzwfX9I2NL17UYXMlm9F P0/oRZtjJ99003Lt9B2XCSiHXEbFd2kUAlZa8+Y9wAzFcBKsd9Ax/o5dnb9R77+QG2 UESU8/Z2zrwpibfRf9jXTN0ou+s2f8Ra8Ubri7zH7syd1E1FwjGFmxCxE8WQ0G+W+U FtsOgdlDZVK5YIyelm6o3gkNHl8g6crqqvOxfuzTeGbKtAgD7ju6qQ1Dah/wKt8Fjy WuyOK3eoK4DjgLT7NnUm16hvqiU/QfnyB+1kcCcJOYMnGZnXZRgdcSO6/eVqY/G/DV TKWMbgUqQQZBQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0C852180081 for ; Wed, 30 Apr 2025 07:55:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 30 Apr 2025 07:55:58 +0000 (UTC) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7376dd56f8fso9283507b3a.2 for ; Wed, 30 Apr 2025 00:58:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1745999894; x=1746604694; darn=lists.php.net; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=i6EsRsIuvKp/+dkDsVgMbp/LjbNWjYiKOliawjASe6o=; b=TyKNlZm1vehAUsEmfXxATgDKwVNPNst0gXqygqGu20Sc7/CJk8dieKLUj6Shz27Mdm M8m5/F/8h3uHZNc1rETH5HCEkPGl5G1puemXoRlXj4yTPUC+/BdkhxfYUSQf9PeBIOjy gnbSw2B+GqbH9Qnj69+lZWFQWfWVdsk10dBb3t89hTMpG5fpe6oIcZzaoPl9wufhZpQ0 4mbmnO5Gvhwu0oxb3q+OW3URZgLeToZ1Se2RCQNaObOxA5tObMBeLFaZxjDOEJvapz0h we0C3u0aGOL1xBNbJkWNfwqL7dB4Go3BwYuBPNV7t9iLBiEp2K+ZYam599hVnyad54rY WtXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745999894; x=1746604694; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=i6EsRsIuvKp/+dkDsVgMbp/LjbNWjYiKOliawjASe6o=; b=Kc/Nev3KXft/74wwkUQh9f5kV8/jX5dhgSh9LJDnSCU/6Blhmw3N9TFdt1YT5QPtQS cWsTZ024/VP8vbokC/kQ/mUaXrnVOwyHltIV2V3n+bqqH0Btb9F9XVn5x3Hys2aCptHP tr0fo50KMOePvdZAd/xhMLeHwmnf+FKUDeEUMbVaNIPAjDnNicgTOe809j2vaweE52wE abCf/4r7YFHJWp5VDHvgLH3Pvm1r48SsdO0dAk63Fy7BMGOBw5puN25xTW+k3Z1vlkz8 4h7ijfxQh+mWUTQp4/859D85jagOVHxQD0IxlJp2mjIAO7+hRUQ7P3J3hZgBVOkta6ZV fUhA== X-Forwarded-Encrypted: i=1; AJvYcCXybYdvJpNUl7439x3bBsbK9L5c1Y6F9HKyogXV0OhwzgRf+vYudBmmXHiXvLPhlLiPgFpbhVBUGHQ=@lists.php.net X-Gm-Message-State: AOJu0Yy+PEED5lnd77G65SeBLnak16sC6a7C/VjFCD7A4sgSUG2EkjDk t99dTG0xkxM1C9vyTd7e9bcWUK+JMlyBDzEfCN1xIYWwmkETk+XGwB5kv4hXnJBFYZbWOxWNTVJ JYcPsJaiKXAkPZm0NX6qz4Orex5bfy+DX X-Gm-Gg: ASbGncsQfxQ5qyby1B56RWa5laqDe/hlxSW12kNSmigjKrtKtBQCD1oCvBudLid91wy Cq+Z3kcQujfhF6GBkApJxZ9TkZgAGruUFjzAVqjoubY+3aJVm8kFLJYqwbYnCzhT50Mf5HbNtDZ w0P9ImxaI3N+4rM6Qp/HtGqxir9bJOxsDg8z+//xGhAekC2n/n6FD2rQ== X-Google-Smtp-Source: AGHT+IGvJObC++catmpocbtaMMgnXclQz1WaLwAC3z2IF0eRfKJitnPDvvGvZfTLqZfUyNam6CFLBp2pwQP6D3tt+YI= X-Received: by 2002:a05:6a21:6704:b0:1fe:90c5:7cfd with SMTP id adf61e73a8af0-20a8794832cmr2832547637.16.1745999893924; Wed, 30 Apr 2025 00:58:13 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <8df04e01-deac-404b-beb7-cd982423db63@bastelstu.be> <33427cd03035ef084245c44290b56a55@bastelstu.be> <0aa1eefc3941bdea0092e935074daa58@bastelstu.be> <76d96ea8a78c6025128c0a4b01c94c0a@bastelstu.be> <07a8a580-4f0c-4b2f-8a67-b91dacfe99bf@bastelstu.be> <809590c3-fd64-4861-8804-1c9eea62a4a8@bastelstu.be> In-Reply-To: <809590c3-fd64-4861-8804-1c9eea62a4a8@bastelstu.be> Date: Wed, 30 Apr 2025 09:58:02 +0200 X-Gm-Features: ATxdqUG3psiZ5BDgbhQGOyWVqF5568AJoMX1MdWif3trkMjbSeE841uAC6tS2zw Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Add WHATWG compliant URL parsing API To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , =?UTF-8?B?TcOhdMOpIEtvY3Npcw==?= , PHP Internals List Content-Type: multipart/alternative; boundary="00000000000074918e0633fa47d3" From: nyamsprod@gmail.com (ignace nyamagana butera) --00000000000074918e0633fa47d3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi M=C3=A1t=C3=A9 and Tim I read the following in the RFC >Withers of Uri\WhatWg\Url follow the relevant =E2=80=9Csetter steps=E2=80= =9D that are defined by WHATWG URL. Unfortunately, these algorithms sometimes have surprising behavior where modification fails silently, and the original values are kept. For example. Even though this RFC acknowledges the fact that the WHATWG URL =E2=80=9Csetter s= teps=E2=80=9D have gotchas, it doesn't try to prevent them - as doing so would be spec -incompliant. Reading the WHATWG URL specification and checking how - Chrome, - Firefox - and even https://github.com/TRowbotham/URL-Parser behave I see that mutator either silently reject the invalid input on setter or normalize them I was wondering if it still make sense to still say that URL mutator can throws InvalldUrlException ? Since AFAIK only a TypeError could actually be thrown if the wrong input is given, no specially crafted string can make the spec throw unless I have overlooked it. On Tue, Apr 29, 2025 at 8:55=E2=80=AFPM Tim D=C3=BCsterhus wrote: > Hi > > On 4/29/25 10:54, ignace nyamagana butera wrote: > > I have one last question while reviewing my polyfill implementation. Is > it > > worth it adding a SensitiveParameter attribute on the argument of the > > following methods ? > > > > - Uri\Rfc3986\Uri::withUserInfo > > - Uri\WhatWg\Url::withPassword > > > > I'm fine with any answer ? Does it warrant a paragraph in the RFC ? Tha= t > I > > do not know but I feel the question may be raised ? > > Good catch. Since they may throw an exception for malformed inputs, they > should have the attribute. Especially since folks might try to use > special characters in passwords, which might need encoding. > > No paragraph in the RFC needed, but the attribute should be added to the > =E2=80=9Cstub=E2=80=9D. > > Best regards > Tim D=C3=BCsterhus > --00000000000074918e0633fa47d3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi M=C3=A1t=C3=A9 and Tim

I read the fo= llowing in the RFC

>Withers of=C2=A0Uri\WhatWg\Url=C2=A0follow the relevant =E2=80=9Csetter steps=E2=80=9D=C2=A0<= /span>that are defined=C2=A0by WHATWG=C2=A0URL. Unfortunately, these algorithms sometimes have surprising behavio= r where modification fails silently, and the original values are kept. For = example.=C2=A0Even though this=C2=A0RFC=C2=A0acknowle= dges the fact that the WHATWG=C2=A0URL=C2=A0= =E2=80=9Csetter steps=E2=80=9D have gotchas, it doesn't try to prevent = them - as doing so would be=C2=A0spec-incompliant.=

Reading the WHATWG=C2=A0URL specification and c= hecking how=C2=A0
behave I see that mutator either sile= ntly reject the invalid input on setter or normalize them I was wondering i= f it still make sense to still say that URL=C2=A0mutator can throws=C2=A0In= valldUrlException=C2=A0? Since AFAIK only a TypeError could actually be thrown if the= wrong input is given, no specially crafted string can make the spec throw = unless I have overlooked it.

On Tue, Apr = 29, 2025 at 8:55=E2=80=AFPM Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:
Hi

On 4/29/25 10:54, ignace nyamagana butera wrote:
> I have one last question while reviewing my polyfill implementation. I= s it
> worth it adding a SensitiveParameter attribute on the argument of the<= br> > following methods ?
>
> - Uri\Rfc3986\Uri::withUserInfo
> - Uri\WhatWg\Url::withPassword
>
> I'm fine with any answer ? Does it warrant a paragraph in the RFC = ? That I
> do not know but I feel the question may be raised ?

Good catch. Since they may throw an exception for malformed inputs, they should have the attribute. Especially since folks might try to use
special characters in passwords, which might need encoding.

No paragraph in the RFC needed, but the attribute should be added to the =E2=80=9Cstub=E2=80=9D.

Best regards
Tim D=C3=BCsterhus
--00000000000074918e0633fa47d3--