Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127254 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id B3ED81A00BC for ; Wed, 30 Apr 2025 16:42:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1746031201; bh=lU0rLPKXF4TEmaRszstUnnEFrrgHUnv7cNFo8hZZuOs=; h=References:In-Reply-To:From:Date:Subject:To:From; b=esqwosCkyvrSKn2WKUUz6vlaXtJ9hXYe43TMapvXVTzMlGeRwzwVvYG1lS8T113e1 5sMr+RvaL0uRu9KQ4+WQltBhX0e869aPiG1dX49Ew3CjzwLy8btC6vyKTSeESGgdEZ jF3/tieWHbdRSQUw5VLQGvxfUYjM7R3dI566cpDp03u87oMZExCMHaaWWIeyLE59rH 4wGAmUEfm/ANZWuNlaRHOyRUMl8JHdVbFzM6UURUW4cm578KYoG6akg3T9tO3pPlIu WfQE+Un1OitZlsQkMPi+8paeC/svPWTkSa3MZN08iq08jQ74nOvd5gdNzmuTJKQGgc uMwC3xCoWcb8g== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 393D718007D for ; Wed, 30 Apr 2025 16:40:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 30 Apr 2025 16:39:59 +0000 (UTC) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-2ff6e91cff5so125575a91.2 for ; Wed, 30 Apr 2025 09:42:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746031335; x=1746636135; darn=lists.php.net; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=CnudjtPruM8PK44+FZFJkbVGr1CjnZlU1pt21ilpD0g=; b=d9npzEWIBlDfWbCxdB+fB9WcuWzJrMGjDEV1pP5mNFdPj1v6XDb+RKG8L3cuKUc275 J8At+Yu6996hXt14mJRvtLwc0CpmFp2EJhYRYOSy5PCd1DkonUZV6I5eMbMShHFRnQwn cyIA7OV6VpGvwXg/jIFVlOtevUsznlAbGYGS0KqKIJ80nDStTxon2EcCtVC9yJraCAc0 nZEyZdAvMpyy66ZPKBk5Sn4POMEUHL4UJM0L3fmuX2uMclvciPNfUPvjQZ8ajVWXySVr +7iNq/ZGptZh9KweZWQnKS090/ABmgE2ErN7GtLlwaC5NNZOufw76kQR9FP4zRBPaLry P6HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746031335; x=1746636135; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CnudjtPruM8PK44+FZFJkbVGr1CjnZlU1pt21ilpD0g=; b=BJJx7hf3T6tIw5USJnP+5tSuZQE5FY2S1OuK+iWZiQLsVRjSUccmT/IWysob+QOXve v+UXF/UIAgRh3TcZ+vXM6H1WMl+EzV4e5FWwm8z6s6gh2qb9zJoA2OW4qjk4MdrXZppK C7pKk3h0bj3xV7Jsfjv2of5vJXsuyL7Bs7VUJz4leCh2KWcHz3zRKXFamOnU0poP1GzN BQf2wrYjxWvKtwZ992eywJiMbUiRM3ZvWwHNnUV9xV9rabgJn12/z8TaPnOYw9/sX5As RbqEQIojrEjl7MU61dMTdWctLAbBczrzrHcu6YwhIpDmD5sqJJdQSsk0WiQvae2h9AyB nLaw== X-Forwarded-Encrypted: i=1; AJvYcCVhlzIEmdSNEUNpadphey9EbBRGdl/u2U5cKYbJr3Wj6/bhWwtXMa4Jmani7e+mlzg1icUwmTqYKDk=@lists.php.net X-Gm-Message-State: AOJu0Yx7yGEwlp9Gj2E9btvQVmJ8+M+i5IkIB7wQ7gWq20etpPBYPXSA jqvgekemkZ3YQRV/mHg/FyehHlg/9Iy+pAmgnKObcp0h0mmRCabfbCYK42RUC/DzwWcdYDYjRZ0 g1NetSU6fMsESnGWssFqNgSoNr0A= X-Gm-Gg: ASbGnct065OS/JQAsG1R+0MmospRhsDV8YT89E0cwNkoN6aFn/K1N0URNjYdXwB/c3f wfuEHFPUT/zjiVItJVeqQ7Xo49dOCElCRD1Z1A7JEULrqyc7mQfA9drKS82+0u2b+v+5HkMkRR7 S3ZyuujvTooSsFp0vCXJ1BzzwG14TesbLJ97Qpq5AzsI5lhU3Ksl87ew== X-Google-Smtp-Source: AGHT+IG8PaE3ZDG8JMBx+x2yw4K4It127JSN0Q6vFfeZVlUtnszSTgpeVMw9LfYVeddsi5z5Z6xpDxeajY5EbbccpT4= X-Received: by 2002:a17:90a:d64c:b0:305:2d28:e435 with SMTP id 98e67ed59e1d1-30a332d5c27mr5787528a91.7.1746031335141; Wed, 30 Apr 2025 09:42:15 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <8df04e01-deac-404b-beb7-cd982423db63@bastelstu.be> <33427cd03035ef084245c44290b56a55@bastelstu.be> <0aa1eefc3941bdea0092e935074daa58@bastelstu.be> <76d96ea8a78c6025128c0a4b01c94c0a@bastelstu.be> <07a8a580-4f0c-4b2f-8a67-b91dacfe99bf@bastelstu.be> <809590c3-fd64-4861-8804-1c9eea62a4a8@bastelstu.be> In-Reply-To: Date: Wed, 30 Apr 2025 18:42:03 +0200 X-Gm-Features: ATxdqUFpbgtm4ZfaQse39TbtefCUGRQFIGPoq6r1QP-wU5_kBZ5n-N3s2ivA378 Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Add WHATWG compliant URL parsing API To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , =?UTF-8?B?TcOhdMOpIEtvY3Npcw==?= , PHP Internals List Content-Type: multipart/alternative; boundary="0000000000007f7683063401996e" From: nyamsprod@gmail.com (ignace nyamagana butera) --0000000000007f7683063401996e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi M=C3=A1t=C3=A9 and Tim Why can't the Url::resolve method also expose the `$errors` parameter like the constructor and the parse static method ? As far as I understand it nothing prevents the API from exposing the errors during URI resolution which is a proxy method for the constructor call just like the `parse` named constructor ? On Wed, Apr 30, 2025 at 9:58=E2=80=AFAM ignace nyamagana butera wrote: > Hi M=C3=A1t=C3=A9 and Tim > > I read the following in the RFC > > >Withers of Uri\WhatWg\Url follow the relevant =E2=80=9Csetter steps=E2= =80=9D that are > defined by WHATWG URL. > Unfortunately, these algorithms sometimes have surprising behavior where > modification fails silently, and the original values are kept. For exampl= e. > Even though this RFC acknowledges the fact that the WHATWG URL =E2=80=9C= setter > steps=E2=80=9D have gotchas, it doesn't try to prevent them - as doing so= would be > spec-incompliant. > > Reading the WHATWG URL specification and checking how > > - Chrome, > - Firefox > - and even https://github.com/TRowbotham/URL-Parser > > > behave I see that mutator either silently reject the invalid input on > setter or normalize them I was wondering if it still make sense to still > say that URL mutator can throws InvalldUrlException ? Since AFAIK only a > TypeError could actually be thrown if the wrong input is given, no > specially crafted string can make the spec throw unless I have overlooked > it. > > On Tue, Apr 29, 2025 at 8:55=E2=80=AFPM Tim D=C3=BCsterhus wrote: > >> Hi >> >> On 4/29/25 10:54, ignace nyamagana butera wrote: >> > I have one last question while reviewing my polyfill implementation. I= s >> it >> > worth it adding a SensitiveParameter attribute on the argument of the >> > following methods ? >> > >> > - Uri\Rfc3986\Uri::withUserInfo >> > - Uri\WhatWg\Url::withPassword >> > >> > I'm fine with any answer ? Does it warrant a paragraph in the RFC ? >> That I >> > do not know but I feel the question may be raised ? >> >> Good catch. Since they may throw an exception for malformed inputs, they >> should have the attribute. Especially since folks might try to use >> special characters in passwords, which might need encoding. >> >> No paragraph in the RFC needed, but the attribute should be added to the >> =E2=80=9Cstub=E2=80=9D. >> >> Best regards >> Tim D=C3=BCsterhus >> > --0000000000007f7683063401996e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi M=C3=A1t=C3=A9 and Tim

Why can't= the Url::resolve method also expose the `$errors` parameter like the const= ructor and the parse static method ? As far as I understand it nothing prev= ents the API from exposing the errors during URI resolution which is a prox= y method for the constructor call just like the `parse` named constructor ?=

On Wed, Apr 30, 2025 at 9:58=E2=80=AFAM ignac= e nyamagana butera <nyamsprod@gma= il.com> wrote:
Hi M=C3=A1t=C3=A9 and Tim

I read = the following in the RFC

>Withers of=C2=A0Uri\WhatWg\Url=C2=A0follow the relevant =E2=80=9Csetter steps=E2=80=9D= =C2=A0that are defined=C2=A0by WHATWG=C2=A0URL. Unfortunately, these algorithms sometimes have surprising behavior = where modification fails silently, and the original values are kept. For ex= ample.=C2=A0Even though this=C2=A0RFC=C2=A0acknowledg= es the fact that the WHATWG=C2=A0URL= =C2=A0=E2= =80=9Csetter steps=E2=80=9D have gotchas, it doesn't try to prevent the= m - as doing so would be=C2=A0spec-incompliant.<= /div>
=
Reading the WHATWG=C2=A0URL specification and checking how= =C2=A0
behave I see that mutator either silently reject the invalid = input on setter or normalize them I was wondering if it still make sense to= still say that URL=C2=A0mutator can throws=C2=A0InvalldUrlException=C2=A0? Since AFA= IK only a TypeError could actually be thrown if the wrong input is given, n= o specially crafted string can make the spec throw unless I have overlooked= it.

On Tue, Apr 29, 2025 at 8:55=E2=80=AFPM Tim D=C3=BCsterhus= <tim@bastelstu.be= > wrote:
= Hi

On 4/29/25 10:54, ignace nyamagana butera wrote:
> I have one last question while reviewing my polyfill implementation. I= s it
> worth it adding a SensitiveParameter attribute on the argument of the<= br> > following methods ?
>
> - Uri\Rfc3986\Uri::withUserInfo
> - Uri\WhatWg\Url::withPassword
>
> I'm fine with any answer ? Does it warrant a paragraph in the RFC = ? That I
> do not know but I feel the question may be raised ?

Good catch. Since they may throw an exception for malformed inputs, they should have the attribute. Especially since folks might try to use
special characters in passwords, which might need encoding.

No paragraph in the RFC needed, but the attribute should be added to the =E2=80=9Cstub=E2=80=9D.

Best regards
Tim D=C3=BCsterhus
--0000000000007f7683063401996e--