Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:55809
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6436 invoked from network); 16 Oct 2011 00:00:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Oct 2011 00:00:49 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 207.97.245.123 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 207.97.245.123 smtp123.iad.emailsrvr.com Linux 2.6
Received: from [207.97.245.123] ([207.97.245.123:60411] helo=smtp123.iad.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 67/81-20519-4AE1A9E4 for <internals@lists.php.net>; Sat, 15 Oct 2011 20:00:37 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp52.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id B587A240D5F;
	Sat, 15 Oct 2011 20:00:19 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp52.relay.iad1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 301EA240D5C;
	Sat, 15 Oct 2011 20:00:19 -0400 (EDT)
Message-ID: <4E9A1E93.6050804@sugarcrm.com>
Date: Sat, 15 Oct 2011 17:00:19 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Rasmus Lerdorf <rasmus@lerdorf.com>
CC: Alan Knowles <alan@akbkhome.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <4E969596.4090704@akbkhome.com> <4E970257.2010906@sugarcrm.com> <4E977A4B.4020609@akbkhome.com> <4E977D07.4010503@lerdorf.com>
In-Reply-To: <4E977D07.4010503@lerdorf.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] is_a fix for 5.4 and HEAD
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

On 10/13/11 5:06 PM, Rasmus Lerdorf wrote:
> I agree that it is slightly messy, but we have painted ourselves into a
> bit of a corner with the 5.3 mess. Stas, the whole point here is that
> changing the is_a() default in 5.3 caused huge problems, including
> security ones, so setting allow_string to false by default fixes that BC

I've read complaints about is potentially causing security problems, but 
is there code out there that was OK before and has security problem with 
this change? I mean, a real-life app?
I'm thinking maybe we should have this options - but maybe have both 
defaults set to true? This way if you have buggy code and you absolutely 
refuse to move to proper code you can easily fix it by putting false 
where needed, but at least our API is not broken anymore.

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227