Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130437
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id AD8C21A00BC
	for <internals@lists.php.net>; Tue, 24 Mar 2026 19:31:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1774380692; bh=6v9f6ZnhNoiw8N1ppqS3M/R/junEVN0rClIGz0i7ylY=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=FFXQE7GaBS9vJgiEzlqpbrcK3B/cPFJrcoFYkmY3NGUXPIgwMFn0ydE6RfA9ZKjf8
	 krhmAxp62sP98yxzVgC67dNOSHWDlXUifz0Lg9kqpJX0AlnnwWPULkk7pcnQG0exuj
	 5Bovc3nUtQHGakhabxBDsrq5AmXQKcShpyuSiusjd2X+09DFisWfNX9jLZHQc6rKMj
	 /PP8EOAxtCyjZ8xzjbKVf509Yw2080FYqR9OolrggDugMjeiVjE1vfKk4Zw9MKAqSM
	 V6QIW1727BSaAYPQ5KLkrpeyH6590WtRhfEM18Gz3lN2qC+6CFvV7kE5wTmP7V2HIH
	 BHuUIuoA4ZQmQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 736711801E9
	for <internals@lists.php.net>; Tue, 24 Mar 2026 19:31:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <ilia@ilia.ws>
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 24 Mar 2026 19:31:31 +0000 (UTC)
Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-439af7d77f0so4326492f8f.0
        for <internals@lists.php.net>; Tue, 24 Mar 2026 12:31:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1774380685; cv=none;
        d=google.com; s=arc-20240605;
        b=iz9cD+aJosEsECj70vViGT88vtQR+oAMXyGgo8yuG57Xk82ZVGYaooG3bHORdk7F3i
         eikttgdrXPZJXr6btqtV3MERgsSQLYBHRbmaW842mY3/0QVjDpUJThh6e3BRflqMdR9x
         QIwmEftT/T1HLA67VahhAIgrFVmPSkOqwr+8cJkPEXX3AeiAl9qlq981yKwNu8RwawOu
         O0nlutd829Fjg9CS/TfS+zwS42hfyyYRafI4YvXQptSJbpcFsMvsItFCM62YFsXOZmhC
         jCuRASA5SxuiZrkOL19h9sXUPuQ3lAiP5tW1zEyRM2Vb2p6CQE/lD1+uysCbNg4r3NSF
         HX8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=6v9f6ZnhNoiw8N1ppqS3M/R/junEVN0rClIGz0i7ylY=;
        fh=qlVqNpzd5JAjVxu5TFIZ0+XZzzut7zIwV6lsb7AXs34=;
        b=AU45zCnbU1HH1GI46Dt4M+Lhl70yZ0rCQiemoGI4VehWXrc27MK+SzIBUccohonZg4
         dLnBNn1TNItDsoWFqRWVjoFiLDg12T9z8hPQcr0YQeufVvIyCUHwqHzgmUP2UrQRVhmS
         jBTGSDEswOX1N+c+hxZ6x7y6gSt9dw1zZy8nLYWAA7Ui/ISKEdLlPIiGbuYd2beJELgJ
         2xsRsmZ9Exa9uzXJ2cK3IYquftli6H51CYfMEDNsHVnuF1wjXYvMn4iodPGq5WV/auhH
         CcqtM8K3eEP2ilqLGz55MQZFnM4XVO7qsPpTXblf0Fc2IqKFy6l5huMMqxr2h293hGOL
         N3kA==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ilia.ws; s=google; t=1774380685; x=1774985485; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=6v9f6ZnhNoiw8N1ppqS3M/R/junEVN0rClIGz0i7ylY=;
        b=cxXoVewNJ89iJ5/hnkpwF3bpCfw3dKDHbyfr3S7sz45QACLGmG5LmdNv1uEp9jHMZQ
         Qkz1FB9N6icZAJlUwu5AAfxqEkYWKycKD27qQnRT+RCcFu06aoo6n9q5SYYye++rJnS1
         /h0YbHW9icOtIWR2zeoh2ocbU6yqow/CCi0wSs0SrJupimuzGrcLFma7Jnz27SVNDp5n
         ySncMiulo3InroSql7O0cB6oaRRa8kzo7R6Im4JYdUwYeAiXRjbWcWOUeSDScVdcP9cg
         2/SDgt4Vi9wzCSvnD6mlfgRXd7+pGF2lP4fFeNboQPjtp84BoiB4quw3owB4BU6Sozks
         ZrmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774380685; x=1774985485;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6v9f6ZnhNoiw8N1ppqS3M/R/junEVN0rClIGz0i7ylY=;
        b=il9M8NQXZctbkqJupZOuKrkI8bphvQ7OuclYooFq/TWCEjcRR9AqijaLDV1oYHQOWG
         uIbiCTS3rE/6WWopmJBnyyL+H1lqZYnLRIYLENg4DAkLTsjJmGRIq8dmMzb+JcBF+yKx
         53P4sF6OxrS9lDs3mAjSmJ8dfskA3AwU3B8ilNlj/13jtwVTufmUmwKzb8u3vxCl1nb9
         pj8/uNga+nC6rMOktoZTRUDbJpjwz66c7lDBRuLue45pYVuwu5wIe+r/b2aQw0QbjZ29
         4Ymz3HBHulAx+N3Pd9jLf+k/N+lbsghbzeRShzuPMuqgVNA8ndcTXOfERbK4ryPavENb
         9zRA==
X-Gm-Message-State: AOJu0Yzewv2GIOL0ktoCJY/UiI8i1wsGSMu9DD7MJ8GPSc1vDWoheCyL
	qHtmKDK3QEZ3wf87IltuxdeN+EPZFYbSUXhhZ3nxMzrtajCDEFb7V701VfR5lKrEJ+6axy8hnPR
	oAO/EIV5IZAk45b8aQdpMEvsh+qRA7GZkmP8XpGVp
X-Gm-Gg: ATEYQzw0SWE3kN16arfXS+pSobuCcovGOIFIVq4ea3VCKo/O3D0pffXARL2hrdchFEB
	8hvqwrFGC3QvtwVSB1YwRG2C0dUpaRs/zxXD1lRcAqrvnKQ5Yv+8LwefB2DhHPadm8/jyxwjUEl
	T0u8aiHoKrkXdM91kdPNZGqVLa0VlTClFgp9QxbKWujxJPES6xBLN0qaKYWhbK0DozaixHEHYFS
	1g3+AP5b5WTf1ZM0pSCK+bDU4ujykhDuMQqU/deSsLE94HrPUAC9o7+twWm5WDmABsrYIPGXYFu
	CTYJNb1Hb7bvANIS24wkADrJODitPObJbcFee6DWuI4ZWe4OAQ3v5RICqaL5CnD+9LXl
X-Received: by 2002:a05:6000:2385:b0:43b:4396:674f with SMTP id
 ffacd0b85a97d-43b88a0d0b0mr973267f8f.55.1774380684986; Tue, 24 Mar 2026
 12:31:24 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <3f4f6959.eaf.19cf0276cd8.Coremail.lamentxu@163.com>
In-Reply-To: <3f4f6959.eaf.19cf0276cd8.Coremail.lamentxu@163.com>
Date: Tue, 24 Mar 2026 15:31:13 -0400
X-Gm-Features: AQROBzD2kb8X0ZDdKfGUY8E8enjSK0PrIbqHbxu3kyOlV-95d-9k-49ZdG55BTs
Message-ID: <CALkpNnT3njeR955rQwG2oegM8UKQMmiGuEfL3UWH=6owput_Lw@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] Remove \0 from default trim() character mask
To: LamentXU <lamentxu@163.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000006cdc25064dca32a6"
From: ilia@ilia.ws (Ilia)

--0000000000006cdc25064dca32a6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

That seems a bit dangerous, since non-stripped \0 can potentially lead to
issues because when concatinated with other strings, which is quite common
for string operations can result in un-predictability and possibly even
security issues.

You make a good point about other languages, the concern is while there
that is the expecation and different solutions exist for
sanitizing/handling \0 they are well known and understood, in PHP the
assumption is that \0 is removed and the change of this assumption breaks a
lot of things. Trim functions already allow 2nd parameter with character
list, so it is already possible to exclude \0 from being trimmed.

Just my 2c.

On Sun, Mar 15, 2026 at 2:23=E2=80=AFAM LamentXU <lamentxu@163.com> wrote:

> Dear all,
>
> I am sending this to introduce my new RFC:
> https://wiki.php.net/RFC/dont_trim_NUL
>
> Quick summary:
>
> Currently, PHP's trim functions strip the NUL byte (\0) by default,
> treating it alongside spaces, tabs, and newlines. This creates a highly
> surprising edge case.
>
> Because \0 is semantically a control character or a vital part of a
> binary payload rather than a typographical whitespace character, casually
> using trim() to clean up trailing newlines can silently corrupt binary
> streams or cryptographic hashes by stripping legitimate NUL bytes.
> Whitespace characters are intended for typographical spacing and formatti=
ng
> (e.g., spaces, newlines, tabs).
>
> Also, almost every mainstream programming languages except PHP doesn't
> trim NUL characters (python, go, rust, js, even 'is_space' function in
> glibc...) It sounds reasonable to expect the same here.
> This RFC proposes removing \0 (ASCII 0) from the default character mask.
> I recognize this introduces a backward compatibility break, and therefore=
 I
> would love to hear your thoughts, feedback, and any concerns regarding th=
e
> BC impact before moving forward.
>
> Cheers,
> Weilin Du
>


--=20
Ilia Alshanetsky
Technologist, CTO, Entrepreneur
E: ilia@ilia.ws
T: @iliaa
B: http://ilia.ws

--0000000000006cdc25064dca32a6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">That seems a bit dangerous, since non-stripped \0 can pote=
ntially lead to issues because when concatinated with other strings, which =
is quite common for string operations can result in un-predictability and p=
ossibly even security issues.=C2=A0<div><br></div><div>You make a good poin=
t about other languages, the concern is while there that is the expecation =
and different solutions exist for sanitizing/handling \0 they are well know=
n and understood, in PHP the assumption is that \0 is removed and the chang=
e of this assumption breaks a lot of things. Trim functions already allow 2=
nd parameter with character list, so it is already possible to exclude \0 f=
rom being trimmed.</div><div><br></div><div>Just my 2c.</div></div><br><div=
 class=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gmai=
l_attr">On Sun, Mar 15, 2026 at 2:23=E2=80=AFAM LamentXU &lt;<a href=3D"mai=
lto:lamentxu@163.com">lamentxu@163.com</a>&gt; wrote:<br></div><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex"><div style=3D"line-height:1.7;color:r=
gb(0,0,0);font-size:14px;font-family:Arial"><div style=3D"margin:0px">Dear =
all,</div><div style=3D"margin:0px"><br></div><div style=3D"margin:0px">I a=
m sending this to introduce my new RFC:=C2=A0<a href=3D"https://wiki.php.ne=
t/RFC/dont_trim_NUL" target=3D"_blank">https://wiki.php.net/RFC/dont_trim_N=
UL</a></div><div style=3D"margin:0px"><br></div><div style=3D"margin:0px">Q=
uick summary:</div><div style=3D"margin:0px"><p>Currently, PHP&#39;s trim f=
unctions strip the NUL byte (<code>\0</code>) by default, treating it along=
side spaces, tabs, and newlines. This creates a highly surprising edge case=
.</p><p>Because <code>\0</code> is semantically a control character or a vi=
tal part of a binary payload rather than a typographical whitespace charact=
er, casually using <code>trim()</code> to clean up trailing newlines can si=
lently corrupt binary streams or cryptographic hashes by stripping legitima=
te NUL bytes. Whitespace characters are intended for typographical spacing =
and formatting (e.g., spaces, newlines, tabs).</p><p>Also, almost every mai=
nstream programming languages except PHP doesn&#39;t trim NUL characters (p=
ython, go, rust, js, even &#39;is_space&#39; function in glibc...) It sound=
s reasonable to expect the same here.</p>This RFC proposes removing <code>\=
0</code> (ASCII 0) from the default character mask.
I recognize this introduces a backward compatibility break, and therefore I=
 would love to hear your thoughts, feedback, and any concerns regarding the=
 BC impact before moving forward.

<br></div><div style=3D"margin:0px"><br></div><div style=3D"margin:0px">Che=
ers,=C2=A0</div><div style=3D"margin:0px">Weilin Du</div></div></blockquote=
></div><div><br clear=3D"all"></div><div><br></div><span class=3D"gmail_sig=
nature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"><di=
v dir=3D"ltr">Ilia Alshanetsky<div>Technologist, CTO, Entrepreneur</div><di=
v>E: <a href=3D"mailto:ilia@ilia.ws" target=3D"_blank">ilia@ilia.ws</a></di=
v><div>T: @iliaa=C2=A0</div><div>B: <a href=3D"http://ilia.ws" target=3D"_b=
lank">http://ilia.ws</a></div></div></div>

--0000000000006cdc25064dca32a6--