Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130650
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id E14B51A00BC
	for <internals@lists.php.net>; Wed, 15 Apr 2026 20:10:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1776283816; bh=qIiENjwVz3L2OPPveW7Jc4mCpg9PgoQc7jfOE553eKc=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=jyie49xebmdADMFg+DiE6CL17folhhk2pwk4T0FqFj3wSc0qMJubp8GAarCgAXOr/
	 MHpkdQzNU4HhiUABBHJo5Xyt9I6axrG4PbfY6c0A1PxzdmR4rMLLhG8upsCO4SkCNi
	 pkzJ5P2SIvIOYUNHF/yjY92ScqBKKU6052lkWPSlkZNTM0IM86VzSb/K9UzFZsZBX9
	 biVmIsJGM3a0wKBfHvSMNWLAfY5enJ+Q/C0YtTjZOBMz7o9x6XtJLFZ6n7ygeyJVMO
	 dy9ZLpG8l2jaghNFBQLrlnT5aIzNLgXDJlb4bJ5I8IwQAAXkIkzuCH0oJ+OTSh04WO
	 V37OhnFeGYnOQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 8B106180061
	for <internals@lists.php.net>; Wed, 15 Apr 2026 20:10:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <narf@devilix.net>
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 15 Apr 2026 20:10:15 +0000 (UTC)
Received: by mail-vs1-f41.google.com with SMTP id ada2fe7eead31-613207140bfso331446137.3
        for <internals@lists.php.net>; Wed, 15 Apr 2026 13:10:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776283809; cv=none;
        d=google.com; s=arc-20240605;
        b=e3mslKv5ita+kyGXoZ2si8YcZ7pzzVJIKElJTtNFClj7++EgC5VhJ6dee5qjlndkQI
         L+iWlIVLetbt0k4KEJgmrI29A6ynoWYaAbJR5bLVwFMHNlh/IlTVEg0zn00ufhusXNcv
         QGp0L0u+q8GhImlZLz8izGTuJ8WB6dCchrsfl/HuvZXNIjNSTRQFR5E6l5kpxjqy/bRy
         uKv8bGX0R6sybDDUCntc5594TL4/Qofwa+37lgfsvjVUunJrwC5begXeHBL/xd760eVC
         gKiZYVmILah5pbvQ595DICAGdUkKGEdaYYBWN4XBTKuP+jKRFTv2fMODcnkiDPegEkDm
         P4qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=qIiENjwVz3L2OPPveW7Jc4mCpg9PgoQc7jfOE553eKc=;
        fh=6Z8yZtHJNt9m+QPjOJ+wKezj0oEa8Uibg3EFHxOQjZg=;
        b=eIuJPG7sC6pgHVAAtT5nVkqP41noxVGVyUb1bhGeBYexV9tsWQptOHcUS53+Ns6BzM
         x4rgkXnx10CRc9S+Mkk/qXjYKepRPis+C+Wh+Idcz+wi97/v9fjySByitPC9skkdRwdc
         y3D4v6zmJmnBwpYSnknX3w2yj0ZOCYH3kGRgocpkPPlC+VF5j6mDN7SwulCodgCG+HLf
         BmYNFU9Pqv1JR8DTPkC3Km4PpPCEAOf1SaFp4GRWWSEcNAHp1qc0HMZlV2zRynzc7Qs/
         aDPiisMfED2mcFHtbOw99sZUUM814GQryTzbOaSqAEF59lloNFiCOz7oHErLTCx133dY
         LPaA==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google; t=1776283809; x=1776888609; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=qIiENjwVz3L2OPPveW7Jc4mCpg9PgoQc7jfOE553eKc=;
        b=AMcjYQo9eG1jQDJN7r1BFmnyJ+A5yf67jKcozSQUsSahz85JG8iNjf/ye6CwD/Qu3p
         70caFTp0HPlpu069K9wb0fBu+ws1rIjqipA7oT76CL5s0LEvb/k7We5fbffNUJFAnYtf
         6pSVxGO9B9Q/U9Y56Dke0wWTEvFJM90YAhhKI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776283809; x=1776888609;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qIiENjwVz3L2OPPveW7Jc4mCpg9PgoQc7jfOE553eKc=;
        b=jmbb7UVX9lq5LTd+psNi6EIiSrADdHXY94gBPMbiywuvhyB+O4oXSgws/HL6tPsOHY
         t79PEof0ju7zy4N05vKaWRm0x0fwRafrx4wnIhELCA8KBZBwjsmoQDOF6aBb7z/HtrFg
         8SoHg6M3OJ02+18HuFXugKgrPaEsd8EPZUS9A2h97cHtGHUzn11XzBaGT4zYh/yPYiSy
         wa2sc6MFXFxiPL12tFy7CyMyJoMH/mj5nE0mTjciMQnmQDeZN+974Khm6onKa5amsEk8
         VaqP6+TvyGltRGJswqbea3SOfuFGZufWrKSi3SGNEvTkIZTt95h/0OIk/lIAXRpbcUO6
         wNyg==
X-Gm-Message-State: AOJu0YyaqufjuQzNj9QbcT2sH8oY+l6+3L7kEoKXVBpT8+ylxVwnNU3P
	kxHdr1a89CjmomNHY8W06i/R3WptMZ6FcPcZ9sHu22KTOWqz7pPU+i2SrXjK1DaJJ7u73RbrzVU
	wxZ9wAyn0Swh77hoYiXSImXAUtghxU+XAv/uCwR3+buwpgL3SKGHhEA==
X-Gm-Gg: AeBDievO/G8cFSlnaXxYT/j3fxTmNBrWxc+10bvvgYi4XlT+ujzQ6Wt7dlSrzJZFNZi
	L9zWSu44M7ZAn+Mf3CC8pBgFxBRfXq5TcGObW24cDYXLJEKRm3UMuzvSuXegK3tOPtDP038W1i5
	hcxRm6je99Ef1lgrbvxjRfs2EZsb7YsjTYLbLqiI5YXbp5wfos5yhYTJL7YCEHsLHU6gjk8OcWM
	w7qi5mT/vntghFXCrEU2gZ9egkQakg21GHzhxqMyB78o3sAK5cJVNX+y4N8EKDAqKb6Rm7bIr5S
	WaW+N/wFLcaqqh5e/1TAzcUpuaN35stnuCVQMjQjFKKlfLLHG7p7X8vQpto2oQZC73XyLVPuSSp
	F9s3TCA==
X-Received: by 2002:a05:6102:c02:b0:605:5756:a515 with SMTP id
 ada2fe7eead31-60a0062cd7fmr9982570137.16.1776283809407; Wed, 15 Apr 2026
 13:10:09 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <939CFA28-A6FF-433F-85A0-B83345CEF4A6@cmpct.info>
 <0598E8E2-F795-45E4-9177-0CA1B1808008@cmpct.info> <A458F4A9-1CD7-4ADE-A206-E50D8F6DC3D0@cmpct.info>
 <9F4960AC-3B1B-4174-B37F-19268C846BB0@cmpct.info>
In-Reply-To: <9F4960AC-3B1B-4174-B37F-19268C846BB0@cmpct.info>
Date: Wed, 15 Apr 2026 23:09:57 +0300
X-Gm-Features: AQROBzA2CpLfjxAkmu_1w1fgYGxzN-zizk43yU2zbwqzbYDkClyRbaAUfS-WbNg
Message-ID: <CAPhkiZztUd8wKDn5vDCSAKdLxOs-3js7zMZGP1iNwCjDPhx+Pw@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] Display Function Arguments in Errors
To: Calvin Buckley <calvin@cmpct.info>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000007af38d064f854dae"
From: narf@devilix.net (Andrey Andreev)

--0000000000007af38d064f854dae
Content-Type: text/plain; charset="UTF-8"

Hi,

My last comment (https://externals.io/message/130290#130377) was not
addressed, and I still have two major issues with the RFC as is:
- It is clearly aiming for default of 1 and unreasonably expects all
codebases to be (meticulously) updated with SensitiveParameter attribute -
that is "opt-in security" and not secure by default
- While a "risk of untagged PII in logs" is mentioned, it is done so with
language that severely downplays the issue

Given these, and that the word "security" isn't even mentioned in the RFC,
I don't believe that the security impact is taken seriously at all.

Cheers,
Andrey.

--0000000000007af38d064f854dae
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">Hi,</div><div><br></div><div>My last comm=
ent (<a href=3D"https://externals.io/message/130290#130377">https://externa=
ls.io/message/130290#130377</a>) was not addressed, and I still have two ma=
jor issues with the RFC as is:</div><div>- It is clearly aiming for default=
 of 1 and unreasonably expects all codebases to be (meticulously) updated w=
ith SensitiveParameter attribute - that is &quot;opt-in security&quot; and =
not secure by default</div><div>- While a &quot;risk of untagged PII in log=
s&quot; is mentioned, it is done so with language that severely downplays t=
he issue</div><div><br></div><div>Given these, and that the word &quot;secu=
rity&quot; isn&#39;t even mentioned in the RFC, I don&#39;t believe that th=
e security impact is taken seriously at all.</div><div><br></div><div>Cheer=
s,</div><div>Andrey.</div></div>

--0000000000007af38d064f854dae--