Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71591
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83515 invoked from network); 26 Jan 2014 19:03:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2014 19:03:52 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.50 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.216.50 mail-qa0-f50.google.com  
Received: from [209.85.216.50] ([209.85.216.50:40830] helo=mail-qa0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A9/E0-12631-71C55E25 for <internals@lists.php.net>; Sun, 26 Jan 2014 14:03:51 -0500
Received: by mail-qa0-f50.google.com with SMTP id cm18so6323173qab.9
        for <internals@lists.php.net>; Sun, 26 Jan 2014 11:03:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=Jelz+aOqqINCknHONqNuzqojQnyvoq2uoOIM70oKFXQ=;
        b=m+UpKf1bbStMJKODf0xupBbkdWh25ShgoNk00gemag3A0t8BEuZyqEZg/5+QgDkrRz
         gIyXefWeQBJC7XyByFGJFyAmCBN+4zgIiAXQm6DTdDOumikuSknoA6DKX5rM3NMsm+vg
         2JZfgEAu8/RcY6dtEuLbh6aBxSHpHatRm62IFalH9V8pviDNsUwqkj2HOUxGNDuQ2P1s
         L0kloz3O8gHwhP1UdKx6w6Ip/7Z2rfNwbpK9M/n3O5Aoe9tgrbuBC/FMp8MrBF0+Ii1s
         dohvimbaKbSJ/9NeQjDk4RSX1Lt4rNtfaWskmEPfPHaECHjuU088UXEvOhYHp68sroe3
         P4Mg==
MIME-Version: 1.0
X-Received: by 10.229.196.197 with SMTP id eh5mr37123705qcb.3.1390763029241;
 Sun, 26 Jan 2014 11:03:49 -0800 (PST)
Sender: jakub.php@gmail.com
Received: by 10.224.68.68 with HTTP; Sun, 26 Jan 2014 11:03:49 -0800 (PST)
In-Reply-To: <CAGa2bXYchsZxmwNb_Zw5--QabLzd4g5M4kuAz7m=QDaq3FVZ0A@mail.gmail.com>
References: <CAGa2bXb7iVGbqpQh8TkDDyr-FmCWTFg1rcXj23ScErhNmikbNw@mail.gmail.com>
	<CAF+90c91stw8B8xqzcg7mfjYWjwRRO71PsHkiFMBjWpGdb6N3g@mail.gmail.com>
	<CAGa2bXYchsZxmwNb_Zw5--QabLzd4g5M4kuAz7m=QDaq3FVZ0A@mail.gmail.com>
Date: Sun, 26 Jan 2014 19:03:49 +0000
X-Google-Sender-Auth: ue01lYFezu0gml0_ug5YIr77COw
Message-ID: <CAEKnhAGSzoi42Zq1a-Z7zDezY7M+YtkrPV8L5tJyWxdWsyLY+A@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Nikita Popov <nikita.ppv@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3407453423104f0e440bd
Subject: Re: [PHP-DEV] [VOTE] RFC: Multibyte Char Handling
From: bukka@php.net (Jakub Zelenka)

--001a11c3407453423104f0e440bd
Content-Type: text/plain; charset=ISO-8859-1

Hi,

On Sun, Jan 26, 2014 at 12:51 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi Nikita,
>
> On Sun, Jan 26, 2014 at 9:38 AM, Nikita Popov <nikita.ppv@gmail.com>
> wrote:
>
> > This RFC conflates the addition of a multibyte version of addslashes (in
> > response to quoted CVE) with the replacement of the mbstring extension
> by a
> > completely different implementation (and an incomplete one at that).
> Those
> > two things have very little to do with each other and should not be
> covered
> > in the same RFC and/or vote.
>
>
> The root cause of this issue is lack of multibyte aware functions that
> relates to security.
>
> I've wrote the RFC to compile current mbstring by default at first, but it
> was
> withdrawn. The reason why is that mbstring is using LGPLed libraries.
> As long as it is loaded as shared module, there would not be issue.
> However, if these are compiled and used statically, LGPL will be
> effective.
>
> To avoid this issue, mbstring would be better to replaced by mbstring-ng
> and move mbstring to PECL for future release.
>
> I'll work on mbstring-ng so that it has all mbstring features. Until then,
> we may have it as EXPERIMENTAL.
>
> Although, it may seem different issue. Compilation of mbstring by
> default is needed to resolve the issue. Therefore, I've made a
> single RFC to accomplish the objective.
>
> Does this sound reasonable to you?
>
> Regards,
>
>
I have been looking a bit into the mbstring-ng. I forked it from moriyoshi
and fixed some compilation issues (for php-master).

https://github.com/bukka/mbstring-ng/compare/next

I also run

$ find ./tests/ -type f -exec sed -i 's/mb_/mb2_/g' {} \;

and then test it a bit. Most of the tests are failing. It hasn't been
update for 5 years so there some runtime issues and there are some missing
functions. It looks that it will require quite a lot of work. I will try to
have a look later if I get time... :)

Thought that it could help a bit when you start working on it. ;)

Regards

Jakub

--001a11c3407453423104f0e440bd--