Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57738 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27937 invoked from network); 5 Feb 2012 17:21:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2012 17:21:23 -0000 Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:50279] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C2/A3-09047-19ABE2F4 for ; Sun, 05 Feb 2012 12:21:21 -0500 Received: from srv-rhsoft.rhsoft.net (openvpn-rh.thelounge.net [10.0.0.241]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id 27A5717 for ; Sun, 5 Feb 2012 18:21:18 +0100 (CET) Message-ID: <4F2EBA8D.1080104@thelounge.net> Date: Sun, 05 Feb 2012 18:21:17 +0100 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0 MIME-Version: 1.0 To: internals@lists.php.net References: <4F2EAF7D.9080506@thelounge.net> <60BDBA28-4E97-4C60-8E31-E34F7E4831AC@gmail.com> In-Reply-To: X-Enigmail-Version: 1.3.5 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig351C0761B712F3509DAFE451" Subject: Re: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_replace From: h.reindl@thelounge.net (Reindl Harald) --------------enig351C0761B712F3509DAFE451 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 05.02.2012 18:09, schrieb Nikita Popov: > On Sun, Feb 5, 2012 at 5:45 PM, Michael Stowe wr= ote: > [snip] >> Perhaps another option, if it's a security concern is the ability to t= urn off the /e modifier, and have it off by default. This way we can prot= ect our less experienced programmers, while keeping it available for more= advanced use cases. >=20 > I think introducing an option for this will only create problems. Code > using /e will be non-portable as it depends on the ini option being > enabled. yes, and security problematic things hsould only be enbaled active > Also this way shared hosting will never disabled the modifier > because it doesn't want to break apps. the one who cares security will do it > And I think disabling it is especially important for people on shared h= osting,=20 > who usually are less educated about security than people on dedicated s= ervers. but the one on dedicated servers currently have no option to make their setup secure without suhosin > Also: If you really want to use /e you can still call eval() inside > preg_replace_callback. This additionally has the benefit of making the > code evaluation more explicit. the problem is "you can" if it is default off you should do it this way if you like portable apps --------------enig351C0761B712F3509DAFE451 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8uuo0ACgkQhmBjz394AnmerwCdGBn1P69X/WmfJ/o54uhC+sg6 0rUAoIkP7QH9lEfZmwGstUvaS0ibR1S7 =pxei -----END PGP SIGNATURE----- --------------enig351C0761B712F3509DAFE451--