Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:55569 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28202 invoked from network); 21 Sep 2011 00:04:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2011 00:04:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=alan@akbkhome.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=alan@akbkhome.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain akbkhome.com designates 202.81.246.113 as permitted sender) X-PHP-List-Original-Sender: alan@akbkhome.com X-Host-Fingerprint: 202.81.246.113 246-113.netfront.net Received: from [202.81.246.113] ([202.81.246.113:41760] helo=246-113.netfront.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E9/D2-04794-91A297E4 for ; Tue, 20 Sep 2011 20:04:42 -0400 Received: from wideboyhd.local ([192.168.0.28]) by akbkhome.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Mailfort v1.2) (envelope-from ) id 1R6AIk-00052p-A0; Wed, 21 Sep 2011 08:04:34 +0800 Message-ID: <4E792A0C.8040402@akbkhome.com> Date: Wed, 21 Sep 2011 08:04:28 +0800 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13 MIME-Version: 1.0 To: Ferenc Kovacs CC: PHP Internals References: <4E790B82.6090805@akbkhome.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------050000080009050100040801" X-mailfort-sig: ee5adf4c8e5b5e69cdd9efe9bc74c62f Subject: Re: [PHP-DEV] is_a() - again - a better fix From: alan@akbkhome.com (Alan Knowles) --------------050000080009050100040801 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Ferenc, yes I know you are generally -1 on reverting this. Currently this bug has 20 votes all at 'this seriously affects me' I know Pierre and I are +1 for reverting this change I think Zeev and Stas where -1 for reverting I've already seen bugs on random packages (outside PEAR) reporting problems and thanking me for an explanation. Along with the security issue reported on one of the PEAR bugs. (not sure if it's in the wild or exploitable yet, but it is feasible) As I said before, BC break for practically nobody against those 20+ people is not a justification for me. I think we understand both sides of the arguments for this, I would appreciate if we could get a vote together if it is that contentious. Regards Alan On Wednesday, September 21, 2011 07:38 AM, Ferenc Kovacs wrote: > On Tue, Sep 20, 2011 at 11:54 PM, Alan Knowles wrote: >> Let's try and close this one. >> >> https://bugs.php.net/bug.php?id=55475 >> >> I've just added a patch that adds is_class_of(), which is identical to >> is_subclass_of, and has the new feature of supporting strings and using the >> autoloader. >> >> It then reverts is_a() back to the previous behavior, and clarifies the >> documentation. >> >> This solves the BC issues, and also solves potential security issues with >> existing code accidentally passing $url's to the autoloader, and gives >> anyone who needs this new behavior a solution. >> >> Let's at least try and respect the new release RFC, and our users who >> appreciate PHP's efforts over the years to try and maintain BC. (it's one of >> it's few advantages these days...) >> > Hi Alan, > > As it was mentioned before, the main reason to not revert back to the > old behavior is to not break BC once again (it shouldn't have happened > in the first place, but we can't change that. :()- > The security implications was never brought up though, but I think > that it is plausible, that there are people out there without suhosin, > having allow_url_include enabled, and using a vulnerable autoloader > (the PSR-0 reference implementation is vulnerable for example), so > maybe it is worth discussing. > --------------050000080009050100040801--