Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130653 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 6EA7B1A00BC for ; Wed, 15 Apr 2026 21:57:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1776290249; bh=//56nkbsrHfTaa3CCMwCbOiUIjk+mXtiWJ2cOlE29Cw=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=B0ij4Lrb5nHl5lJfoz4PmN9i0bHeXiMR+30KgHCIQGKaDJ9wIi1wMDshl62P93HLN RT3ZCeqMj5n2dCNkUHzJo+IYQj070GJeGaXBl8pE67kMCZGDAaD0Our5EBybkDvCm7 Awa/yLMqqe8JU5rBIfrWuBzpHJoemIBBlJazdJxkHUHmJHJesh3B+9XuW0ZztStGqH E+p2qHDlC+626/40XlBv8c9f2EWPymQJ1MIZfRVkkY1gwjON76A8hdB3PVbBMlat+r GuITLJ5W4BuuhfrKf3gg1By7theXv3zvAZr+/ekoq8qb6wbo2SGr5kkWzyWn7jGxs9 u1lJN5A6bi8ag== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5663418007E for ; Wed, 15 Apr 2026 21:57:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DMARC_MISSING, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from supercat.cmpct.info (supercat.cmpct.info [71.19.146.230]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 15 Apr 2026 21:57:27 +0000 (UTC) Received: from smtpclient.apple (fctnnbsc38w-142-134-101-31.dhcp-dynamic.fibreop.nb.bellaliant.net [142.134.101.31]) by supercat.cmpct.info (Postfix) with ESMTPSA id 3A0624350A; Wed, 15 Apr 2026 21:57:16 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\)) Subject: Re: [PHP-DEV] [RFC] Display Function Arguments in Errors In-Reply-To: <836c1a50be44588a459f40c6b83c5804@bastelstu.be> Date: Wed, 15 Apr 2026 18:57:05 -0300 Cc: Andrey Andreev , PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: References: <939CFA28-A6FF-433F-85A0-B83345CEF4A6@cmpct.info> <0598E8E2-F795-45E4-9177-0CA1B1808008@cmpct.info> <9F4960AC-3B1B-4174-B37F-19268C846BB0@cmpct.info> <836c1a50be44588a459f40c6b83c5804@bastelstu.be> To: =?utf-8?Q?Tim_D=C3=BCsterhus?= X-Mailer: Apple Mail (2.3864.500.181) From: calvin@cmpct.info (Calvin Buckley) On Apr 15, 2026, at 5:35=E2=80=AFPM, Tim D=C3=BCsterhus = wrote: >=20 > Hi >=20 > Am 2026-04-15 22:09, schrieb Andrey Andreev: >> - It is clearly aiming for default of 1 and unreasonably expects all >> codebases to be (meticulously) updated with SensitiveParameter = attribute - >> that is "opt-in security" and not secure by default >=20 > There is no stack trace here, which means that the only functions that = are affected by this RFC are native functions. Userland functions = calling `trigger_error()` don't show the function name. All the native = functions in php-src that handle sensitive inputs have been adapted = right with the introduction of the #[\SensitiveParameter] attribute in = PHP 8.2 - and if some are missing, I would consider that a pre-existing = bug that needs fixing. >=20 > And even if this wasn't the case, the ecosystem has widely adopted the = attribute in the 4 years since its introduction, which was easily = possible since attributes are fully backwards and forwards compatible = with all PHP versions (including PHP versions that do not yet support = attributes). >=20 > Best regards > Tim D=C3=BCsterhus I think I'll edit the RFC to clarify this.=