Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70680 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28965 invoked from network); 16 Dec 2013 21:42:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2013 21:42:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.51 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.128.51 mail-qe0-f51.google.com Received: from [209.85.128.51] ([209.85.128.51:37120] helo=mail-qe0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 37/51-32483-DB37FA25 for ; Mon, 16 Dec 2013 16:42:22 -0500 Received: by mail-qe0-f51.google.com with SMTP id 1so4398239qee.38 for ; Mon, 16 Dec 2013 13:42:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Lq1GC3n9Kd0MxJZGDpjnrjYYlom2LOCbVMPw6m3+OXg=; b=v0UsgTMZfEbrhEHmYIMr0zkE/C1IbWvJ6iDXGZdm19Uh3nIQHsaLwmsTJz+00ugoFc O8LEAASZ9fIOKLsHenzqZt267BXfPTvfzd3PlL5wbjHeWvjE1u+69XyGlBENIX7wXaKv bAG//4XHhep1RjpZYJAFVaqG46W01+pHXrYKgejy4t1M+mVi/IjLELSAevQQ749zNm9Z ZwF1rZHxtHfYrkjgk8WFsV0I1n5mTpgqQkA2alvmxOSnaqrFJHtwBR2hWVlesz4YUjkt Ff5T9UabrsMdg6sHrgsLNDn4rgUj0OvInGchfru9yflTZ62rU0W/e+672AGG0ufTpBTp +BRA== X-Received: by 10.49.35.112 with SMTP id g16mr36577065qej.13.1387230139086; Mon, 16 Dec 2013 13:42:19 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.224.23.129 with HTTP; Mon, 16 Dec 2013 13:41:39 -0800 (PST) In-Reply-To: References: Date: Tue, 17 Dec 2013 06:41:39 +0900 X-Google-Sender-Auth: heffe38nylyCiJbdkHOXcD8RJZE Message-ID: To: Adam Harvey Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b676f7ca97dc204edadaf54 Subject: Re: [PHP-DEV] Re: Making addslashes() multibyte aware From: yohgaki@ohgaki.net (Yasuo Ohgaki) --047d7b676f7ca97dc204edadaf54 Content-Type: text/plain; charset=UTF-8 On Tue, Dec 17, 2013 at 5:54 AM, Adam Harvey wrote: > On 16 December 2013 12:44, Yasuo Ohgaki wrote: > > I don't think locale based MBCS support is optimum, but I'll add it to > > addslashes() for now. > > I don't think basing behaviour on the locale is a great idea (as > evidenced by the various issues with Turkish and Azeri over the > years). Could we just add an explicit encoding parameter like > htmlspecialchars()? > That's an option, but it requires a lot of work w/o mbstring being a default "compiled" module. > > > Question is where should I start? > > It's security issue for certain char encodings such as SJIS/BIG5. > > Is there a case other than database access (where we've been directing > users to better APIs like PDO and mysqli for several years, at least) > where this is likely to cause security issues? When users are exporting PHP variables that are supposed to be parsed as PHP (or PHP data, e.g. serialize()), addslashes()ed SJIS/BIG5/etc will break string quoting with certain chars. This can be used to execute attacker provided PHP code. > > I'll fix php_addslashes(). Therefore, any functions that use it > internally > > are affected. e.g. var_export(), etc. Users are not affected as long as > > they are using correct locale. > > > > Should I fix this from 5.3? > > This feels like it has the potential to be a really nasty implicit BC > break. I don't think we'd want to change default behaviour on any > stable branch, honestly. I cannot object this argument. There may be unexpected side effects. However, users will not be affected as long as they are using correct locale if locale system is not broken... Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --047d7b676f7ca97dc204edadaf54--