Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130439 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id A2E431A00BC for ; Tue, 24 Mar 2026 20:09:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1774382970; bh=BmTwP8hMY4/DTpz3vIhFKSFsvCNn8J6mmHyT7tQPsbQ=; h=References:In-Reply-To:From:Date:Subject:To:From; b=lh+L+T1sxO4MF4ULilg/V1OHUMNH8RFwKMMmSiIDmBkZG6ByBE1RyB2mwQwkCv+XD 1p+7utWmm0V+XomXkZhpXxf3Zv0f2ledbfXQ6cGWZDNhzDLG5y1jsqs4Y4tdLi3l1G ZE6ySsx76qB6oVB76eNYyhPP6nyCMUWQC+xoL2XN38yTyipZcSV4ppaBtBeK60JRUv HLbfPXiHH9C+9GUjGkHKxfG3l17LZvX3KsYHR9ASCMAklmZ05pvAMhjmCnNkuR9Tqv BLxPoCyd87FsJTvlg2vAN25NCLGocv0/Y0bKxh6JDGjGR75xfzsBzIqfNUt9KiXFW5 gA2hr8QvwWw8A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 7C5EC180086 for ; Tue, 24 Mar 2026 20:09:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 24 Mar 2026 20:09:24 +0000 (UTC) Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-899eabc5292so57432376d6.0 for ; Tue, 24 Mar 2026 13:09:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774382958; cv=none; d=google.com; s=arc-20240605; b=GRSYrwhXukglsK4As7AE3SZNYuIbutjLL4z4UzE3FU70VuvN0NYBpFwltTs4fT+Teu 8BBEFS8MGCgYeyuR7AH5qoBgeVIKYTY1aumPA9qOiIn08vVuQFZFHhR+Q+hEhgF5lztA QRn5v2RosIwK3GHUaWsrij7Ha+wz0ID4nDkmK6nA1b7EIekYKF8KiUZ01gG1iiga1LjX 5zrTpTLBmkhQNNlNFvc7Nz7gMBscS2Kia0srisgxEqIXBG3CbLgJcDcPUpQowEkGrskW eOMxNCwDPuy5i/rzEAVJOtpz8Qyuw63HbDj1dnfNjxB9DjMaeq71RD1g5G2bRhf6pLpE YM6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=BmTwP8hMY4/DTpz3vIhFKSFsvCNn8J6mmHyT7tQPsbQ=; fh=RnZ+4KjfdZdxwVfzmjFoBvUAaJ227RJecqE9MM9tvfQ=; b=jXF9HfRIDfhRgSIpGDpO2Ch2miP5W2B3D9RGPhYfN3k6sizfOXizGDx+lG2rdTbJri D47hiL02A+SIZE4PMgvZTNi7akI62d6MRxcyWxCeEly3jlRLy0taBwHBJ8fkusNCVzlg wCnG68ZmC4FNeYMPZfT/6vRCn0esNMjt44t5dRhDT8pOJglC1lZv4ngEIB0UbWtz7F1+ S5KNrwaiEILHvyXsrBbtdIpEoriyCwwa96j1bPZYOm0wx0ufEtXCkVH2cI6SRptz6c16 NroJYZ2lX5mnpKTX7jrRj6Kirf9QKvvgDqq998M/2M1/fSY+IHBU5ONgAkhIZCD4BaHc raAQ==; darn=lists.php.net ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774382958; x=1774987758; darn=lists.php.net; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=BmTwP8hMY4/DTpz3vIhFKSFsvCNn8J6mmHyT7tQPsbQ=; b=GtTQpbUHLHv/mgiQ2+S7wHcFZMmckzOnDNpDqS9T1hBn1tEgpqtWDZgsLXL4GMoXFy +5zt+4n11hXiLEG56VT9uc8yV6PJPiGQG0EpgBFBDYA+FWH4vC8ISniGlX7qclW9jO1c KUO0CG7XDAj9oXVuFPjwn3YbH2vldJ47E/WG5TeYBbM9WIh3OdNcq3QuIZqxnzUveKxV +u3M52UXXx6GZWJ8Tng0mWDs6Ztcn9MIhCJfXVklwThuyy0jhk6/8/K8M/KNnwlaYKDo xyaXYbfBQSdYgVeqy52Oi+mUPPvOOeXPsWJ7YzoKwe0488ul1OTVS2pYkUh8TWfkRGrE cFUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774382958; x=1774987758; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BmTwP8hMY4/DTpz3vIhFKSFsvCNn8J6mmHyT7tQPsbQ=; b=WodzzifdOxmLwI5hUMlN8Xz+jYpXa8LIbgOksoTPqPSuYSv1rjWriyqSF+9aiHm2BG pJKkCarZNkw/e/l9jr/HEa9tXAKC1bl2XXZBMwi5J5wdPkYnZ97VKmnvKA1KuwpMySCO xoq92JXwcXyp8HDzUTLNWytXXZWmg2zfyhe2RMnOjSXbj3/WskQZR9wvkFfys93romRn 4fFjQg0OBeXpJ10OhF0qNzKqSiYbfNc6CyYS85Yw7eDt85lSGE0ZmaeKAxDOXolryqUA W+jpOUG2UBaEpEqjqo5FaaOYEBjI3t/ohGE4Y1FeSCFk5+ApbEGibFJSBpLeBsX3kMiw XyVQ== X-Gm-Message-State: AOJu0YyMI4D+6zLs8G8jDLqRKrtjs5HWeEVEdsCwgJbcc9BF7Kp/ktni loylP8O6/a4ychAr+HnmtSuIATXUU952kzMRKVGJygRYh4jU3RL+uJJMXgC/zkJYAQiV36WaEO+ p/epKLnwrBTZxXziaui9GXTXLqw8nScUMA5CuOxk= X-Gm-Gg: ATEYQzyWqO+SPcBNfpQjB5RbkE8qR3PJGVUeKXPYPgvINHGQzYlnu+HngwuTZc26CPa /7xwBrVOz5sghu6hTKBTStjzWmF5Y1oHJVHWT+8yLxfcsB2inxLRXS7LTjIiaDzlst7E47GK7MM KaL81yG4Le4mtfOPlwYQTird0hGhXg3WmmvMgPJ8FJwrfG4whgjJOGSnNoOt8amoyYt/hhDZCkl jcT+vz3O6ZWZoS9A4UEhH8jEoUx+7jsOQm4mi3O6Xd57iJYgKuEbZ3S8ZHU5WdYvob2kMIxd3sQ ZyuMKxTfYGUZuIFb1P5RlhYEn0let0A/sH22IBECmmDqyVEhfYApPj04Mm0bNHivrRE= X-Received: by 2002:a05:6214:3d02:b0:89c:613c:64db with SMTP id 6a1803df08f44-89cc4a9f7dfmr14773296d6.53.1774382958456; Tue, 24 Mar 2026 13:09:18 -0700 (PDT) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <3f4f6959.eaf.19cf0276cd8.Coremail.lamentxu@163.com> <4bf704c.b746.19d20d429ac.Coremail.lamentxu@163.com> In-Reply-To: <4bf704c.b746.19d20d429ac.Coremail.lamentxu@163.com> Date: Tue, 24 Mar 2026 23:09:06 +0300 X-Gm-Features: AQROBzBbGToJshR7Yo7AGGddSPpUwytIH3aMSoLY8nSjly2gHoj7GoLPz1RRO0o Message-ID: Subject: Re: [PHP-DEV] [RFC] Remove \0 from default trim() character mask To: php internals Content-Type: multipart/alternative; boundary="000000000000ef3405064dcab952" From: go.al.ni@gmail.com --000000000000ef3405064dcab952 Content-Type: text/plain; charset="UTF-8" Hello. Using trim() for binary data sounds like a mistake. There's nothing special in whitespace or any other characters in binary data, so why use trim() for it at all? If someone using trim for binary data, then this might be deliberate choose. For example, trimming zero byte might be the sole cause. That's why I disagree with "Secondly" RFC point. Java's String.trim() treat characters with code points equals or less than \u0020 as whitespace. So there's no "surprising case" at least for java developers and that's why I disagree with "Thirdly" point. However, I agree with "Firstly" point. But for semantic purists we have mb_trim function. Removing \0 from trim() makes code vulnerable to null byte injection attack [1]. I have strong feeling that zero byte was added to trim() exactly by this cause. [1] https://owasp.org/www-community/attacks/Embedding_Null_Code --000000000000ef3405064dcab952 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello.
Using trim() for binary data sounds like a mistake. There's nothing s= pecial in whitespace or any other characters in binary data, so why use tri= m() for it at all? If someone using trim for binary data, then this might b= e deliberate choose. For example, trimming zero byte might be the sole caus= e. That's why I disagree with "Secondly" RFC point.

Java's String.trim() treat characters with= code points equals or less than=C2=A0\u0020 as whitespace. So there's = no "surprising case" at least for java developers and that's = why I disagree with "Thirdly" point.

How= ever, I agree with "Firstly" point. But for semantic purists we h= ave=C2=A0mb_trim function.

Removing \0 from trim()= makes code vulnerable to null byte injection attack [1]. I have strong fee= ling that zero byte was added to trim() exactly by this cause.

--000000000000ef3405064dcab952--