Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127274 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id B91F51A00BC for ; Sat, 3 May 2025 21:06:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1746306234; bh=Tm8SZMivlyEluo0IiIya6wVZVAJBBGH+9Uo1E90oOgg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=nWZotMO67mPehKe/S9Y+Kiqiabpcu2Edy23dVFM6/FXj9C8yt6zoZCOyZuR24dyEd 686mPNFvzovsZIa6uF1O5cOb973ZrInwEAzruEFtdOR6CihBQlLKjutgEcyk5MfurS rOhnFVAelR5EXHDLobaUhpZ5/nFPjdK4FdpKZGUS4xJEWfafIHztMnp+HTCTa2q0Xv gbkjrveEB20noSvN31ZiD3oJj9DBK09Dum4dy4NbHHQmkhGSls158f9TGRAVzlCpDr nJTWolyvbN36FzF+hwyPOOiQOdNk62wB4vSr6s7wGOarqJBfih1UNgxyrmod6U63OJ PTjxsD8YNea6Q== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 92C1018003B for ; Sat, 3 May 2025 21:03:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 3 May 2025 21:03:53 +0000 (UTC) Received: by mail-qt1-f175.google.com with SMTP id d75a77b69052e-476ae781d21so39389271cf.3 for ; Sat, 03 May 2025 14:06:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746306367; x=1746911167; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dSGoR/qXVn8JkbSklE/5esmJroNbjaZZzdsE1pa8Xts=; b=gKiuko/bLGAAtwG9uCPZqk6d0AcpJ9ATZQ5wpskisoAB3Fj+261WmZl2/TgEdYY/qy 6tUe+onUHI92dudQeshjOh++Xn1DP2A50QKvJ6bNo1KlwjEqNNXtEJYftmx2KtK5lnnc azsYzfYM8lv2tlrdykTpLg2rZyn/PHrXCakuvE949qI2Q13vy1xOwS8LZTWNVXjLITAs WYrLHu6R26+igCCt0vLVJvAa2TzHlNxqxXiNF8scbOWzoywsksa2SNB0HOwwhhPJfGlY Pi+Xs/e3YQjECOPLvrmCd/O7CzRcgTCiSqs9ukgS1MXFPPim45c7swLKddsNt200fPSB ewkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746306367; x=1746911167; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dSGoR/qXVn8JkbSklE/5esmJroNbjaZZzdsE1pa8Xts=; b=Nc0cIMjNLZ8ioypsc1XozG3lgKGJmEUL04LBjNgHC8KDMjHrPJr2aZyxcD8qJ8Ou97 fBhDjyuhVIfadm0T7draWgPtihqggNPoeEh98ny6QJcZVxmpH5OuAwfUScyXJHSuYsI9 OzFOv3I4y73nVJVTIEEW55RURnH/9iEeIRSwuIQ33kYjkkP/EsZOSSIiVKbEDJczzSNX 1rb04NfxAKtI5Hz0i6JX0FS7ndTZyoDH5aVbqv5izMXTN1S939RtQ6DEg/MJKqctdf3o TWf3g708P4RlY+GsnyAPiDTpHkvb5SdhdYtN8fb9R/BlxE6vODbOsT8nEf7w9e/442Qa vHsw== X-Forwarded-Encrypted: i=1; AJvYcCV2XyAHqspI2RTrKWhDkHPWb4+jXgdbwdN5Z0sy/HlDAmrY4Pit9B6wjjHpZKxYg+x7akyqPnAcbNI=@lists.php.net X-Gm-Message-State: AOJu0YzvVgCuCaa2yzix2XW8Ls/sHqEk32Ik+N7Ll2MlsEuoued2qQxj RmZdjOK53Pp4CzrFjlAcJ9ZMsdh49KsIJb9fOGTNRkgjwcRTILOyVwCuYsm7WbIXZGosq5mOpkc ds0iIKeb1aVDSoHOMxH+5gtIOy44zKwtM/M8= X-Gm-Gg: ASbGnctBajYmBWtgjt6tD/GJihIX31AuhKYpNRwKJnn0nVfp6dkTo3uQ6nUVApx0Tps rLEjR+zz/T7h54ADro3Git0eRsZkyM3bky2B1WTvowGmWDXhXfOY4bS7rWbIcGN1g30dOZYxMpo uxNwL5alEQjivl0Ruh62YIDg== X-Google-Smtp-Source: AGHT+IHrNPulv4pII9BRZoByJ0s8/di9uSYSw1MPaEehTVyaC3HS4kP6P7wXaGT0FeREig7k2SGWqhyOlqm2cn+rBTA= X-Received: by 2002:a05:622a:4a11:b0:48a:bbd7:19c2 with SMTP id d75a77b69052e-48dff7e6587mr31356011cf.15.1746306367485; Sat, 03 May 2025 14:06:07 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <8df04e01-deac-404b-beb7-cd982423db63@bastelstu.be> <33427cd03035ef084245c44290b56a55@bastelstu.be> <0aa1eefc3941bdea0092e935074daa58@bastelstu.be> <76d96ea8a78c6025128c0a4b01c94c0a@bastelstu.be> <07a8a580-4f0c-4b2f-8a67-b91dacfe99bf@bastelstu.be> <809590c3-fd64-4861-8804-1c9eea62a4a8@bastelstu.be> In-Reply-To: Date: Sat, 3 May 2025 23:05:56 +0200 X-Gm-Features: ATxdqUH05vvWhOP5itDzjvRM6OJdeu9El5m4M4MeI0Lh-hK_cj46GHcoLoMzWS0 Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Add WHATWG compliant URL parsing API To: ignace nyamagana butera Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , PHP Internals List Content-Type: multipart/alternative; boundary="000000000000b3fa0b063441a2cf" From: kocsismate90@gmail.com (=?UTF-8?B?TcOhdMOpIEtvY3Npcw==?=) --000000000000b3fa0b063441a2cf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Ignace, I have just added the SensitiveParameter attribute to the Uri\Rfc3986\Uri::withUserInfo() and Uri\WhatWg\Url::withPassword() methods. > Reading the WHATWG URL specification and checking how > > - Chrome, > - Firefox > - and even https://github.com/TRowbotham/URL-Parser > > > behave I see that mutator either silently reject the invalid input on > setter or normalize them I was wondering if it still make sense to still > say that URL mutator can throws InvalldUrlException ? Since AFAIK only a > TypeError could actually be thrown if the wrong input is given, no > specially crafted string can make the spec throw unless I have overlooked > it. > I double the checked the implementation, and I quickly managed to find a case when an exception is thrown: $url =3D new Uri\WhatWg\Url("https://example.com"); $url->withHost("[1.2.3.4"); The above code will throw a Uri\WhatWg\InvalidUrlException that refers to the "IPv6-unclosed" WHATWG URL error, so I think it makes sense to keep the current behavior, especially with respect to possible future changes of the specification. Regards, M=C3=A1t=C3=A9 --000000000000b3fa0b063441a2cf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Ignace,

I have just= added the SensitiveParameter attribute to the Uri\Rfc3986\Uri::withUserInf= o() and Uri\WhatWg\Url::withPassword() methods.

<= div class=3D"gmail_quote gmail_quote_container">

Reading the WHATWG=C2=A0= URL specification and checking how=C2=A0
behave I see that mutator ei= ther silently reject the invalid input on setter or normalize them I was wo= ndering if it still make sense to still say that URL=C2=A0mutator can throw= s=C2=A0InvalldUrlException=C2=A0? Since AFAIK only a TypeError could actually be thro= wn if the wrong input is given, no specially crafted string can make the sp= ec throw unless I have overlooked it.
<= br>
I double the checked the implementation, and I quickly manage= d to find a case when an exception is thrown:

$url= =3D new Uri\WhatWg\Url("https://examp= le.com");
$url->withHost("[1.2.3.4");
The above code will throw a=C2=A0Uri\WhatWg\InvalidUrlExceptio= n that refers to the "IPv6-unclosed" WHATWG URL error,
= so I think it makes sense to keep the current behavior, especially with res= pect to possible future changes of the specification.

<= div>Regards,
M=C3=A1t=C3=A9
=C2=A0
--000000000000b3fa0b063441a2cf--