Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57735 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 21662 invoked from network); 5 Feb 2012 16:51:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2012 16:51:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:59550] helo=mail-qy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4B/92-09047-583BE2F4 for ; Sun, 05 Feb 2012 11:51:18 -0500 Received: by qcmt36 with SMTP id t36so2943707qcm.29 for ; Sun, 05 Feb 2012 08:51:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rOXUAZxc0wvzKRI+4BwWlZjVLIvQicDTo8IwA3QgKgk=; b=E4wHdch6PLDZGMfbt3Q4zvfxCw/bZoHOPt98RMxWIZxlFsEf15Vg6/RguHApKWp0Sb /dWHkXaQ6o5VUT2DsSwJc2aQbUtxIE8AUtUl0Nfz0+Uthi6UTOqDTAWAe8M/lvA8SkF8 Coh2IEWudHKePSzsig68r/f/sAkhC0RWpOMzQ= MIME-Version: 1.0 Received: by 10.229.136.79 with SMTP id q15mr5339294qct.149.1328460674815; Sun, 05 Feb 2012 08:51:14 -0800 (PST) Received: by 10.229.235.137 with HTTP; Sun, 5 Feb 2012 08:51:14 -0800 (PST) In-Reply-To: References: Date: Sun, 5 Feb 2012 17:51:14 +0100 Message-ID: To: Pierre Joye Cc: Nikita Popov , PHP internals Content-Type: multipart/alternative; boundary=00248c7117959ed5eb04b83a5ae0 Subject: Re: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_replace From: tyra3l@gmail.com (Ferenc Kovacs) --00248c7117959ed5eb04b83a5ae0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, Feb 5, 2012 at 5:21 PM, Pierre Joye wrote: > hi, > > I think we should remove eval at the same time then. As the risk is > exactly the same in both situations. Eval is just as evil and can be > avoided as well (or any other similar features, not sure if other exts > allow that). > > Cheers, > > https://wiki.php.net/rfc/remove_preg_replace_eval_modifier#but_we_don_t_rem= ove_eval_either_do_we I think it would be very unwise to start bringing up that here, when the RFC author explicitly stated that his RFC is not about removing eval. From my POV, the problem with /e is that it is easy miss the fact that using unfiltered user input in your preg_replace call can lead to arbitrary code execution. With eval() you explicitly state that you want this, and if you miss the security implications of your actions, you can blame nobody but yourself. Another difference is that as the RFC states, the /e modifier can be replaced easily with a callback, which would make the code even more clear, so it is an even better alternative. On the other hand, eval doesn't have such an easy alternative, you would have to generate and save the code and include it, which has the same security implications but it is much more tendersome, and it would also open up potential security implications (another process overwriting your temp file would cause arbitrary code execution for example, so one would need to use hard-to-guess filenames and/or exclusive locking, or using custom streams, etc.). To summarize /e has less use cases than eval and it has an alternative which provides better code, which isn't true for eval. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --00248c7117959ed5eb04b83a5ae0--