Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71196 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61011 invoked from network); 16 Jan 2014 22:34:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Jan 2014 22:34:52 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.50 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.50 mail-la0-f50.google.com Received: from [209.85.215.50] ([209.85.215.50:42633] helo=mail-la0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FA/56-21406-A8E58D25 for ; Thu, 16 Jan 2014 17:34:51 -0500 Received: by mail-la0-f50.google.com with SMTP id ec20so3095336lab.9 for ; Thu, 16 Jan 2014 14:34:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=CWdAy2nPR8V19mSh/9TxEeeSCpPQnyo9KsN5Ep+uxYQ=; b=SQrGuSPsxxYXQJJheKcdF6S267Ptz7di5mlVrOY84Szth9N6h+R96V3NLvur8+68JP zRHB+nHRVtv6fAyCiQerg1QGxfrRYeTQwOzaELVjsITHcvXITw1MZFBAjUf9grq3M9Ms gXSmfKnCfV8QVmPQaAfi0aqCr7ax4eDChpcTBCYsyY4/MtTwUT1Mt8lbtTT5CklPfkTa G4iAD1YSVNPfTJ7KC0haUOJgMdBNmAFTOSd7zbLC9VEjBx6y8Cii1pl6HYf9xrJxVUXh i1CLev34MoK1qFNg3mi/mEkCFl7mdmJlQTkULPCzx2K/X8Cw2bR74Y/SfduzEB6xCSdH bvhg== X-Received: by 10.152.19.170 with SMTP id g10mr6524199lae.9.1389911687092; Thu, 16 Jan 2014 14:34:47 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.6.68 with HTTP; Thu, 16 Jan 2014 14:34:06 -0800 (PST) In-Reply-To: References: Date: Fri, 17 Jan 2014 07:34:06 +0900 X-Google-Sender-Auth: lxB0A_MH-SvXI7VEb4NLjzrc1JM Message-ID: To: Nikita Popov Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e01493f6460deda04f01e08f1 Subject: Re: [PHP-DEV] [RFC] Multibyte char handling From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e01493f6460deda04f01e08f1 Content-Type: text/plain; charset=UTF-8 Hi Nikita, On Thu, Jan 16, 2014 at 9:18 PM, Nikita Popov wrote: > On Thu, Jan 16, 2014 at 12:50 AM, Yasuo Ohgaki wrote: > >> Hi all, >> >> addslashes() could be vulnerable via char encoding based attacks. >> It is needed to decide what counter measure we adopt. >> This is RFC for this issue. >> >> https://wiki.php.net/multibyte_char_handling >> >> Please comment. >> Thank you. >> > > Please do *not* add encoding parameters to our existing string functions - > we have an mb extension and mb functionality should go there. Don't mix the > things, it will only lead to a lot of confusion. Right now it's obvious > which functions handle encoding how, no need to break that. > This discussion circulate discussion. At first, I proposed locale based solution using php_mblen(). This approach does not require additional encoding parameter since encoding is specified by locale. However, some people don't like the solution (in security ML) because it is locale based solution. It may have unwanted side effects. Locale is unreliable and most user just don't care about it. Therefore, I proposed this approach that introduce encoding parameter just like htmlspecialchars()/htmlentities(). Encoding parameter (or some way to specify encoding) for security related string function is mandatory. We should provide some way to specify encoding. Do you like locale based approach for now? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e01493f6460deda04f01e08f1--