Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72427 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4736 invoked from network); 10 Feb 2014 03:57:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Feb 2014 03:57:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com Received: from [209.85.217.176] ([209.85.217.176:41695] helo=mail-lb0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A8/32-25595-D2E48F25 for ; Sun, 09 Feb 2014 22:57:34 -0500 Received: by mail-lb0-f176.google.com with SMTP id w7so4280423lbi.21 for ; Sun, 09 Feb 2014 19:57:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=sZ4eKKRZ6R/NBrNcxcVham/Ve7DjMt2RG4MmCZwo+VY=; b=RNqoASwsJg1aUUdkS9HnmPxKKT0ZavbmGNraXxQ0AwvIgrmb3rnYeTkL2WTvtLY0WC 5KfZa08sPqjIQPnCEWSviGrNII09RFnxrMmhDBeZJGXfiKgu4lkxQV8bctIuVMSI6FpK pAlImRvYUYgXcHR+P8XCSBVR3L8AYuyVUXnmgNb0ztiAgdktbo4ymqMTQBMGiVHisHEa TzURsHxNOgiXto2w9YE3MKXAXfB4yPvBAe29sR/IvdRYHQlUoRIcgKXctXTYsjJnk61r 6lMN2ILM07yn80r2g3zgF38EwZmyZU0qG5pSFqhYMzJ9KoAx5HVwt7/HFTC8Efa8QDjP M0Hw== X-Received: by 10.153.0.33 with SMTP id av1mr20204895lad.14.1392004650155; Sun, 09 Feb 2014 19:57:30 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Sun, 9 Feb 2014 19:56:49 -0800 (PST) Date: Mon, 10 Feb 2014 12:56:49 +0900 X-Google-Sender-Auth: gCR-hWEOpx7Du7K39z3LsfBS8ok Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11381264b2c61704f20556a4 Subject: [VOTE] Multbye char handling - Remove vulnerability related to multibyte short and long term From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11381264b2c61704f20556a4 Content-Type: text/plain; charset=UTF-8 Hi all, Current PHP has security issue that attacker may execute arbitrarily script via encoding based attack. These 2 RFCs are for short and long term resolution for this issue. Short term: Multibyte Char Handling https://wiki.php.net/rfc/multibyte_char_handling Add functions required to resolve security issues. CVE-2014-1239 Long term: Alternative implementation of mbstring using ICU https://wiki.php.net/rfc/altmbstring We need multibyte feature as default. However, current mbstring has license issues. Resolve license issues by alternative mbstring in the future. Introduce mbstring-ng as EXPERIMENTAL module for further development, testing, feedback from users. VOTE: 2014/02/10 - 2014/02/17 Please note that these RFCs are independent from whether PHP is going to support Unicode in core or not. It's about how PHP provides required features. Even when PHP supports UTF-8 as string encoding, these multibyte features are required. Otherwise, encoding parameter/property is mandatory for core multibyte support. We need to support existing applications long term also. Since it is security related issue, please provide/propose alternative resolution if anyone feels it is not the way to go. There must be feasible resolution. Thank you for voting and/or alternative proposal! Even though alternative is better to proposed during discussion period, better alternative is welcomed at anytime. Regards, P.S. We are better to have comment field in RFC. It is not constructive just voting "No" without reason/alternative. Alternatively, we may have rule to post mail here explains the reason why. -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11381264b2c61704f20556a4--