Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:55568
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23821 invoked from network); 20 Sep 2011 23:38:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2011 23:38:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.42 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.218.42 mail-yi0-f42.google.com  
Received: from [209.85.218.42] ([209.85.218.42:57607] helo=mail-yi0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 31/22-04794-C04297E4 for <internals@lists.php.net>; Tue, 20 Sep 2011 19:38:53 -0400
Received: by yib12 with SMTP id 12so903517yib.29
        for <internals@lists.php.net>; Tue, 20 Sep 2011 16:38:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=2K+tMPjB+8melpE28KjnBZMpKWuUTKNeUo2utenW4m4=;
        b=G8MU2MkvgYbeuvmbROG6QHHYh3IlzgwRUohijjZJqJl8J0ZY2Swqc7dI2F2HOU11I+
         hahyOcLRmJuq5TWLeHDd3sRTbObnLvuIa+BOAsAUNl7YAEPBtJKZsoxQBP7M+HH5k/8g
         xPYYLEqWl9z1+eivlYc5Uvm4ns/XLi9h5y9f8=
MIME-Version: 1.0
Received: by 10.236.177.72 with SMTP id c48mr449459yhm.79.1316561929613; Tue,
 20 Sep 2011 16:38:49 -0700 (PDT)
Received: by 10.147.125.13 with HTTP; Tue, 20 Sep 2011 16:38:49 -0700 (PDT)
In-Reply-To: <4E790B82.6090805@akbkhome.com>
References: <4E790B82.6090805@akbkhome.com>
Date: Wed, 21 Sep 2011 01:38:49 +0200
Message-ID: <CAH-PCH40dSQUoghWBYL10PY1E_xWXgQ34jnxXA2h+wkJPxu6tQ@mail.gmail.com>
To: Alan Knowles <alan@akbkhome.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] is_a() - again - a better fix
From: tyra3l@gmail.com (Ferenc Kovacs)

On Tue, Sep 20, 2011 at 11:54 PM, Alan Knowles <alan@akbkhome.com> wrote:
> Let's try and close this one.
>
> https://bugs.php.net/bug.php?id=3D55475
>
> I've just added a patch that adds is_class_of(), which is identical to
> is_subclass_of, and has the new feature of supporting strings and using t=
he
> autoloader.
>
> It then reverts is_a() back to the previous behavior, and clarifies the
> documentation.
>
> This solves the BC issues, and also solves potential security issues with
> existing code accidentally passing $url's to the autoloader, and gives
> anyone who needs this new behavior a solution.
>
> Let's at least try and respect the new release RFC, and our users who
> appreciate PHP's efforts over the years to try and maintain BC. (it's one=
 of
> it's few advantages these days...)
>

Hi Alan,

As it was mentioned before, the main reason to not revert back to the
old behavior is to not break BC once again (it shouldn't have happened
in the first place, but we can't change that. :()-
The security implications was never brought up though, but I think
that it is plausible, that there are people out there without suhosin,
having allow_url_include enabled, and using a vulnerable autoloader
(the PSR-0 reference implementation is vulnerable for example), so
maybe it is worth discussing.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu