Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71197 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 62479 invoked from network); 16 Jan 2014 22:38:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Jan 2014 22:38:04 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.48 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.219.48 mail-oa0-f48.google.com Received: from [209.85.219.48] ([209.85.219.48:42651] helo=mail-oa0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 50/B6-21406-B4F58D25 for ; Thu, 16 Jan 2014 17:38:03 -0500 Received: by mail-oa0-f48.google.com with SMTP id i11so3678232oag.21 for ; Thu, 16 Jan 2014 14:38:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=12+DipTa0e35NH0hJ+syF+PaFjag7k3jZZ64t7YodFQ=; b=QBfPHJfTLSpKd/hi+WNAKFY9gusiz286Y7viiFs39xguIqqlxEQWjIOr8rFMyMDKjc 7Frnsvu9H6l+PPrBLJiNZ/57PPU5N62u86eElqYbUAJBFvNUCfoIyy8AatHu/hF4HULW W+PbtK67gx1VOQ0DB9WD0NgMHpDhAJFREFGE2nXLBiRVXeQDB9kH6TL164HrEiSzCWne iIiD+cMfCw0ec7hUQJhol2V1ELIuqHm67i1hQswHgtC/Ig0abTIdqJiV63H6z0cWXYLU oHW88BS6tC/sBr69JLQt6DzghwqoPyo4LJbMIgiTKeFsj0Q1ACJdrlqiM5pyJUVbvaOR gneQ== MIME-Version: 1.0 X-Received: by 10.60.93.229 with SMTP id cx5mr2766317oeb.82.1389911880640; Thu, 16 Jan 2014 14:38:00 -0800 (PST) Received: by 10.182.54.112 with HTTP; Thu, 16 Jan 2014 14:38:00 -0800 (PST) In-Reply-To: References: Date: Thu, 16 Jan 2014 23:38:00 +0100 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b33d3ceea303d04f01e13cd Subject: Re: [PHP-DEV] [RFC] Multibyte char handling From: nikita.ppv@gmail.com (Nikita Popov) --047d7b33d3ceea303d04f01e13cd Content-Type: text/plain; charset=ISO-8859-1 On Thu, Jan 16, 2014 at 11:34 PM, Yasuo Ohgaki wrote: > Hi Nikita, > > On Thu, Jan 16, 2014 at 9:18 PM, Nikita Popov wrote: > >> On Thu, Jan 16, 2014 at 12:50 AM, Yasuo Ohgaki wrote: >> >>> Hi all, >>> >>> addslashes() could be vulnerable via char encoding based attacks. >>> It is needed to decide what counter measure we adopt. >>> This is RFC for this issue. >>> >>> https://wiki.php.net/multibyte_char_handling >>> >>> Please comment. >>> Thank you. >>> >> >> Please do *not* add encoding parameters to our existing string functions >> - we have an mb extension and mb functionality should go there. Don't mix >> the things, it will only lead to a lot of confusion. Right now it's obvious >> which functions handle encoding how, no need to break that. >> > > This discussion circulate discussion. > > At first, I proposed locale based solution using php_mblen(). > This approach does not require additional encoding parameter > since encoding is specified by locale. > > However, some people don't like the solution (in security ML) > because it is locale based solution. It may have unwanted side > effects. Locale is unreliable and most user just don't care about it. > > Therefore, I proposed this approach that introduce encoding > parameter just like htmlspecialchars()/htmlentities(). > > Encoding parameter (or some way to specify encoding) for security > related string function is mandatory. We should provide some way > to specify encoding. > > Do you like locale based approach for now? > No, I don't want a locale-based approach. I want the string functions to stay as is. Multibyte variants of the functions can be added to the multibyte extension. Nikita --047d7b33d3ceea303d04f01e13cd--