Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130652 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 7CAFA1A00BC for ; Wed, 15 Apr 2026 20:35:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1776285338; bh=GweUq3UrY7c7CeHZITmxQdbq3Wpp8uNYc9vtBLUSeXk=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=RPMtOQUpeiZ+Mg6rxycOH1+V/mnqSat7cwxQfv8KYzdYpIgM+c/ONxr83pUZgOToY DKOqR0JPlBipqXB1YcYrJSIfo0p1e1sK+c2puPd+pnT8vNt6sP/MzJL1PlshUVPIKA F1yM+P9K48Ja9NFJwcRFUl01/EQSzvXPvvD/0vwhQk5gwqjTnPxW18UWpMPem9odNH sVyJHFqFJHgj5Z8brJfahtEvrZoQMoVZCaFWWHYouKqCPMltGNocabxSkIttLiQPxu LAr01tcnn8ryXguZh9C8b1IeDYIwR05flz77M0nwaOWqK9HwueRmGIyFOpZix1VeUm 7Bsvu+a+ePPMA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 72F1F18007E for ; Wed, 15 Apr 2026 20:35:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 15 Apr 2026 20:35:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1776285330; bh=xR71jYc9VsSxHKPQGIFLY3vnF0LJugJhUDxlBPY2iZA=; h=MIME-Version:Date:From:To:Cc:Subject:In-Reply-To:References: Message-ID:Content-Type:from:to:cc:subject:message-id; b=hI8r9th01sEimtpnBAx2jZCBtSQpPuplSz+czbMO6EIH67Boy6Ua2ElMNo0LRKZKB Itocisn6eStOodx6fLJKeAWCBKv0FGTYIL+f9l0Mu6t8q42ITkvgNOcJ7lF2Sh3UUa W3YeWHWK5WZXWkqxxzhMrxr7GY6DFI46B/KqUjb3HrUXdM8a/wMNeBwzjtjfSpYZrZ DkF8p2+KbOWz2guywmj/vUV5E0v21Ut30yTiMIbsSLYwP7yFSpPZIz+gbZjD2jmZ8u d13j4EJX8AfvC+N1JblO8/4WqhWYzY13kUkneHvmPHnmUYEHuDKZPj3VVv3h3hLOT0 2y83mWj4Q0eMg== Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 Date: Wed, 15 Apr 2026 22:35:30 +0200 To: Andrey Andreev Cc: Calvin Buckley , PHP internals Subject: Re: [PHP-DEV] [RFC] Display Function Arguments in Errors In-Reply-To: References: <939CFA28-A6FF-433F-85A0-B83345CEF4A6@cmpct.info> <0598E8E2-F795-45E4-9177-0CA1B1808008@cmpct.info> <9F4960AC-3B1B-4174-B37F-19268C846BB0@cmpct.info> Message-ID: <836c1a50be44588a459f40c6b83c5804@bastelstu.be> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi Am 2026-04-15 22:09, schrieb Andrey Andreev: > - It is clearly aiming for default of 1 and unreasonably expects all > codebases to be (meticulously) updated with SensitiveParameter > attribute - > that is "opt-in security" and not secure by default There is no stack trace here, which means that the only functions that are affected by this RFC are native functions. Userland functions calling `trigger_error()` don't show the function name. All the native functions in php-src that handle sensitive inputs have been adapted right with the introduction of the #[\SensitiveParameter] attribute in PHP 8.2 - and if some are missing, I would consider that a pre-existing bug that needs fixing. And even if this wasn't the case, the ecosystem has widely adopted the attribute in the 4 years since its introduction, which was easily possible since attributes are fully backwards and forwards compatible with all PHP versions (including PHP versions that do not yet support attributes). Best regards Tim Düsterhus