Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130660 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id E17311A00BC for ; Thu, 16 Apr 2026 10:05:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1776333936; bh=9c/bJs2xNLK7sjK7/ttpxTGmOpso9NweYO+Er2AIvTk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Jys3PkZnurkl4Axoe89IlL8e6FZ2d+oxv0rMzMb5YKFx2SKrHawiEVTtwvNsCWW+4 9Ww9fvz0F8fwp9NP96AjjEcrzcWALD+nIy9jd3XENCyphwPmLwBk9u2vLZLvQHd9EL Sh26nGtP2+fQZ5uNNuM4+KxfM8hpm6SeByfJjZ224kqu336ijDaUWwAMRUexK14c/W B8ZUMK8f1+bBR0uj7MXx4efc74MW5V32lphRavO7TL8G1ImTYRyqZbNBl7C4/X81WP 5Vaklr5EoBZQAp25LGrPYuN9ZXiCspVo24fiCml/rK2Nm8j7TxtbbfE9IVM5wbKJI/ gJrppFgXQVeKQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 00E7218004C for ; Thu, 16 Apr 2026 10:05:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 16 Apr 2026 10:05:30 +0000 (UTC) Received: by mail-vs1-f47.google.com with SMTP id ada2fe7eead31-605823aec55so4549735137.2 for ; Thu, 16 Apr 2026 03:05:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776333925; cv=none; d=google.com; s=arc-20240605; b=X0VTlKDqtNI7dHcJhOSusaUrsV54t74021jqUq9p7cnWWJB0xTstkevI8iEjhQSSka PzzNCE7u8fGuMV2cfPW4iR1Ahoe1Oja6jjYVMFgoyclB5lc/oCdFVQgfXHZik+P2ncdh fMuXmBMe5RohBBolluS4RkcJ5Fmtnud2Og5Sh2TRSM6kv6l1W7wqF3oRRg/7hWw09cSx o2gnVOtym78CyoshQOzjudg021CDZoTDSBO213Ospe0oggR6jBskS60Yoo088K8nXGah E3RLx0lYnIF59i/dmRRZ/imkTcaX06IqEfNiWbwxz+M1+QEN8MZG6K9yYjc1T8FhT4bx dV7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=9c/bJs2xNLK7sjK7/ttpxTGmOpso9NweYO+Er2AIvTk=; fh=jMVQQEx4pH6BCsBOnszpI5BcuHYmqBDm2Yss0FiFMBM=; b=foeY6g3IGCp7jWXtxyVph8ci6cJqZ3ZHvB+aHhNgu3QVIOwDxLkHGXCxEgwung2vGl 7KgtcHCSOTmPQ+pxCHOd4W9gHjZs9dG0CLMXgqrD3y8+5Bl47RfpQcYozelMUuKunyNx srAdSFYHMxsKuDiUs8efF08PQPuRJ/o1uklXUBKL5pnNXQZA5YJqdpFX8KmGxZrgWtI+ LWllyhjNS5HOn/K9L7tpbf35bqJUo7YRdcNOpx8ZV5OsW3ZdOiKGJl6QLyY5iRQCkY1O G5q9GvBZHMe0/WqxtyWcqiXaL1nTC6iivTGzIFCqZnMWIFWmdPACSjPcvvtqV29cYCfA ftMg==; darn=lists.php.net ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; t=1776333925; x=1776938725; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9c/bJs2xNLK7sjK7/ttpxTGmOpso9NweYO+Er2AIvTk=; b=fOiXmJn8kIt4ZJMkYNVqrZlQikDN8WyIK7fxB5wCL7ssccA0YZyUhuIMkUgBukrP/t K1s0EomW7WzlNlWViTIOCyLgu/VH4w3Byk5CxoRkqB5jVqyOz/xr1jLKEzvQF/lhnLR3 eenIl0tzmjOXmQSiLqwMuk8YXaByBTekWpCwc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776333925; x=1776938725; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9c/bJs2xNLK7sjK7/ttpxTGmOpso9NweYO+Er2AIvTk=; b=r1aCxTTgGxfZv6COpehJOGNuyziTY0PQhaWMqlGzdFkg6Gdc8nWYsQf7yh9RUNqCmQ zhx3X9Odhmret+gLJoUadH5htBMSEuvYQolCXJprnQOBegio2dMyICtdWVTqAfX7uOoX YT0boSeR/bsBg4rJoTWLS3R5X7Dnn7HXq8Z3+eoMIbbaIAVmyX2yqtHMallCe+Uo3Rn8 7ecks8uEljlw24QHSFWtYWItCOn1ak1XRpJVL1F53dkXr2xkbvhu0r3r/WLo5+zAPHTF Nwu5vVlgIX22OwhehgCQg1ISF6qIcLUFigRDqObIhbvMPc7uRRVpj5u2KfTk/lPHV8lk +1LA== X-Forwarded-Encrypted: i=1; AFNElJ+FT/sX07DUamyJUaTQAkQ5vGx9nFnvXL9Kl0h/ZEJ+JIHJ/ohHVP4jBmT7XNjpBvNYzMTE9X1GIoc=@lists.php.net X-Gm-Message-State: AOJu0YzqI8k+VOhOkrVIASkR/nR3y3ag0kh+BRlyfsVrnam0rhfC/W89 ufGdAaneG+DSCRzWZZr5H2eAHfwn77BJ8LxFoKaUZAh8dKp1GISd2w4LY1TO0UgZuIaMDS6wAOE qQ5fjLsA4ifH5l15Tf2cqAZOrEU/MYb7KqX4j32Ie X-Gm-Gg: AeBDieswUHahXDeJwEbFXfgxkyWRCS3ozGLH9iyMjEYUMbD/bTTfLBhXFLkBBBChjOf 5ISH2CPuXfsIfgWOGKHIZBWoJLazUpuDD3X7pgyU7ly/R/4q95y/z6JhqMGLGuUObkyPYGE3Cjf WajoIdPr/pzyzy9I+zjg5YRnAN4TZQ3TqdwvaPH0Gd9ju7gu4kL+PazCa6zpehJLXq0fHB5i6x4 VwthPpH9ZJ592AmoJB2qe+RMxb5a0WXxgj2uqxA5+YHTANoS7K8DPKPEZy4I2k3QJWuyMDXMlkG oMUaQGAXU9POf4Zlpe9Gd/+zcKBKd8N1PcfOaEGU5nhJ1ldzC7yUf541yKK0SdnYW6qSYgY99O1 5BjWXDCjJEmJRBQqO X-Received: by 2002:a05:6102:291e:b0:602:b037:4de8 with SMTP id ada2fe7eead31-609fe8a45fbmr12551994137.4.1776333924601; Thu, 16 Apr 2026 03:05:24 -0700 (PDT) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <939CFA28-A6FF-433F-85A0-B83345CEF4A6@cmpct.info> <0598E8E2-F795-45E4-9177-0CA1B1808008@cmpct.info> <9F4960AC-3B1B-4174-B37F-19268C846BB0@cmpct.info> <836c1a50be44588a459f40c6b83c5804@bastelstu.be> In-Reply-To: Date: Thu, 16 Apr 2026 13:05:13 +0300 X-Gm-Features: AQROBzBWGLJmMKorWOTeocISO-xhCF46KHwFfGKEaUhQncb73wvYli_4WcqYV8o Message-ID: Subject: Re: [PHP-DEV] [RFC] Display Function Arguments in Errors To: Calvin Buckley Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , PHP internals Content-Type: multipart/alternative; boundary="000000000000941def064f90f8cf" From: narf@devilix.net (Andrey Andreev) --000000000000941def064f90f8cf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Fair enough, thanks for the clarification, although then this initial response makes little sense in context: On Thu, Mar 12, 2026 at 5:59=E2=80=AFPM Calvin Buckley = wrote: > This is something I'm also concerned about, but I feel the cat is > already out of the bag with backtraces in exceptions providing the same > parameter information. PHP and the library ecosystem seem to be adopting > the sensitive parameter attribute, so my hope is that applications also > start adopting it. Also, you can only mark a parameter as sensitive if you *know* that it contains something sensitive, so I'm assuming that only covers passwords, private keys, etc. However, almost any string parameter can contain sensitive data and that's where the danger is - all applications handling PII will be at risk of inadvertently leaking data through logs. Cheers, Andrey. --000000000000941def064f90f8cf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Fair enough, thanks for the clarification, although t= hen this initial response makes little sense in context:

On Thu, Mar 12, 2026 at 5:59= =E2=80=AFPM Calvin Buckley <calvin@= cmpct.info> wrote:
This is something I'm also concerned about, but I feel the cat is
already out of the bag with backtraces in exceptions providing the same
parameter information. PHP and the library ecosystem seem to be adopting the sensitive parameter attribute, so my hope is that applications also
start adopting it.

Also, you can only= mark a parameter as sensitive if you *know* that it contains something sen= sitive, so I'm assuming that only covers passwords, private keys, etc. = However, almost any string parameter can contain sensitive data and that= 9;s where the danger is - all applications handling PII will be at risk of = inadvertently leaking data through logs.

Cheers,
Andrey.
--000000000000941def064f90f8cf--