Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60945 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47926 invoked from network); 23 Jun 2012 10:50:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Jun 2012 10:50:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=theanomaly.is@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=theanomaly.is@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: theanomaly.is@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:54311] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5D/38-21324-B5F95EF4 for ; Sat, 23 Jun 2012 06:50:06 -0400 Received: by obfk16 with SMTP id k16so3979663obf.29 for ; Sat, 23 Jun 2012 03:50:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8eOLnazPwki3A+9ZLN5m6mlvG9qkit2gizj0YkQoifo=; b=ZV8BASQbPZyRDzjgwFSxlIvWOa6cD/J7g7G04DbBQX5gktsrCMZpB+EsJLnYzyWMAB ygNJHSptXI413aVtu+L1cULdm7OXEnLlvIQKKV8g3jEJZx5tyUKCK98DixMUQJWjktem xbXGnSvRMB2MyBNk00maVtJQG6Bb9NyfRGI79+qyT3I0H5mjZmbs+aa5DmZbOQbLclug XbExTSZ4o2VriKl5Diht99zeQtB61UMp7+6gjpmRUpxNg1dT+ONdD5IprO0BLTFDrGb9 EL8DxBKjSg1RKIVonlo9kDYzOsXedAXx7oawqWCm6WORpPxyvBZGoQTf0OxhTiPwKP7A Xczw== MIME-Version: 1.0 Received: by 10.60.10.227 with SMTP id l3mr5295192oeb.39.1340448601062; Sat, 23 Jun 2012 03:50:01 -0700 (PDT) Received: by 10.60.135.1 with HTTP; Sat, 23 Jun 2012 03:50:01 -0700 (PDT) In-Reply-To: <4FE33EDF.2000409@lerdorf.com> References: <20120621141241.GA25789@analysisandsolutions.com> <4FE33EDF.2000409@lerdorf.com> Date: Sat, 23 Jun 2012 06:50:01 -0400 Message-ID: To: Rasmus Lerdorf Cc: Nikita Popov , Daniel Convissor , PHP internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] json_encode() behavior for incorrectly encoded strings From: theanomaly.is@gmail.com (Sherif Ramadan) > > The problem with a warning here is that there is usually no way to > prevent it short of using @ or preceding all calls to htmlspecialchars() > with an iconv() call. A bad guy can simply send invalid UTF-8 bytes to a > web app and look for that warning to get a really good idea about the > server software being used. And yes, I know people should have > display_errors off in production, but this case is slightly different > because it is so universal. Other user-triggerable warnings are very > code-dependent and there is no universal trigger string you can send to > all PHP apps. Almost all PHP apps call htmlspecialchars() on user input > at some point. > > The call here was whether to throw a warning at all and the idea was > that it was ok to do so as long as it didn't leak to the world for > improperly configured servers that had display_errors on. I would be > fine with removing the warning altogether since sanitizing the string is > an inherent characteristic of the function now and throwing warnings > about the normal operation of a function doesn't make much sense. > > -Rasmus So in other words this patch I submitted should be fine? https://github.com/php/php-src/pull/111 This particular patch doesn't raise any controversy since it doesn't touch any of that other stuff and simply puts the defined behavior back in place as it should have been.