Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60503 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71790 invoked from network); 7 May 2012 08:56:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 May 2012 08:56:48 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.42 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.210.42 mail-pz0-f42.google.com Received: from [209.85.210.42] ([209.85.210.42:33471] helo=mail-pz0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 25/25-33304-B4E87AF4 for ; Mon, 07 May 2012 04:56:44 -0400 Received: by dalf4 with SMTP id f4so4439521dal.29 for ; Mon, 07 May 2012 01:56:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KfnGNLqcIkyXRb0RdYaQ7HhPdlOCLmemTvwEV2hvWZE=; b=v2jGnA3wYRJ6NujlMtin8eOlNSiaj/R4t/pL3mPNJq8ATfKQKoWyfE3FFe6h+iDtj6 XIAeAuenpvmUOzIfo6+zMz2FHsXHf/WxHJRs+19s0yrXrlHvbV+XXqQYG4yn65mL4eZs EIRhY8SK5++/bvJuNJkhHTTi8J55Q6xZcfr2BidDa1T0gHp+VeOE7CyKFMOtCxRDv0+I mgrB+3qhn49dzfzB3EupTEKlkraRPpSyP0MSuv5DmwNurzU7fWG/j1Ln2b220wdsB/sM vQ+2IiC2De7cZZzNlMw6hrEmKDoh+TlZKIvmWifefsaTZp9/0QMILdeFt9QohwLdaoCz wdug== MIME-Version: 1.0 Received: by 10.68.221.105 with SMTP id qd9mr1534274pbc.1.1336381000220; Mon, 07 May 2012 01:56:40 -0700 (PDT) Received: by 10.68.64.133 with HTTP; Mon, 7 May 2012 01:56:40 -0700 (PDT) In-Reply-To: References: <4F847B8A.9010007@sugarcrm.com> <733bc8ea59cf6737563a62886e92fcb6.squirrel@www.l-i-e.com> Date: Mon, 7 May 2012 10:56:40 +0200 Message-ID: To: Kris Craig Cc: Arvids Godjuks , Tjerk Anne Meesters , PHP Internals , Richard Lynch Content-Type: multipart/alternative; boundary=e89a8ff25682cd81ec04bf6e722f Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design From: tyra3l@gmail.com (Ferenc Kovacs) --e89a8ff25682cd81ec04bf6e722f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, May 7, 2012 at 10:31 AM, Kris Craig wrote: > On Mon, May 7, 2012 at 12:28 AM, Arvids Godjuks >wrote: > > > Hello internals, > > > > I should voice my opinion that such things like comparing two strings > > starting with numbers and that they resolve to actual integer/float for > > comparation is bad, really bad. That just defies the logic and yealds > > absolutly unexpected results. I pride myself that i know the juggling > rules > > well, but I'm shocked by this to say the least... > > In my opinion this should change no matter the BC breaks it will create= , > > this one affects security big time. It's good I actually hash my > passwords > > in the MySQL and not on the PHP side, but I have seen hash comparations > > with =3D=3D all the time. And now that this has been discussed in detai= l I > > expect this to be used as an attack method grow wide. > > 07.05.2012 5:32 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82= =D0=B5=D0=BB=D1=8C "Tjerk Anne Meesters" > > =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB: > > > Forgive me if I'm missing something, but why are people using =3D=3D for > security-sensitive string comparisons (like hashed passwords) in the firs= t > place?! If you needs something that's safe, isn't that what strcmp() and > strcasecmp() are for? For my part, I pretty much never use =3D=3D on str= ing > comparison, though admittedly that's probably just a matter of having > having come from a C background before PHP. > > That being said, I agree that this *definitely* should be fixed if the > examples cited are indeed accurate (I've been working with PHP for over 1= 0 > years and I was never aware of this bizarre behavior, either). I don't > know the history of this, but I at least would consider it to be a bug. = A > rather large one, in fact; though I think some of the fears expressed are= a > bit hyperbolic. And if you're fixing a serious bug or security > vulnerability, as a general rule of thumb, this automatically supercedes > any concerns regarding BC breakage IMHO. But if that really is a lingeri= ng > concern, I'd suggest targetting the fix for PHP 6, since people would (or > at least should) expect that some PHP 5 code may behave differently in PH= P > 6 anyway given that it's a major release > > I agree with Rasmus (and others) on this one ( http://www.mail-archive.com/internals@lists.php.net/msg57949.html), type numeric conversion on strings on both sides should only happen if both strings can be represented as numbers without losing data/precision. if one or both of the two sides can't be converted to numeric without data loss, then we should compare them as strings. the patch from Cataphract (attached at https://bugs.php.net/bug.php?id=3D54= 547) implements this behavior --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --e89a8ff25682cd81ec04bf6e722f--