Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:77162
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35506 invoked from network); 12 Sep 2014 18:08:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Sep 2014 18:08:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com  
Received: from [209.85.217.178] ([209.85.217.178:47288] helo=mail-lb0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B3/60-27276-DA633145 for <internals@lists.php.net>; Fri, 12 Sep 2014 14:08:46 -0400
Received: by mail-lb0-f178.google.com with SMTP id c11so1372104lbj.37
        for <internals@lists.php.net>; Fri, 12 Sep 2014 11:08:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=YzxuJz6P3meVrf2oFeDKSS0LOlFWC/DAZ0TSC4UlZ4U=;
        b=OC53/O624mrAlkp/GyPXNF6xtfkwO27oPmmGX9/TwFgzLARHTMQO1bsXlNeP3ztwa0
         vprwpd2/slk0tEtd2LNW7ALwyWE2WSAsq+3rR1IYieLt+7TF/N09O7rbfVWKQMUbPX8K
         ebDEa2WRkz49lvvdv7vuRjOFarga2cIcO8eN3i/phd1rtGxqtVap/hrLU5ZzIOMqxM1S
         NkXZQYhVDXOkW1364qR/BUqUOe/25+gBF5AjrdgH2gzH5JcxBz1hmTVPMg6rs3PMW+F4
         +3o9YGFOgr4D3fe7F6G106EW74pfDQC0mWf2hIRgadzBSUc6+qtzmiA+Srv3XD6bOHKF
         46Ag==
MIME-Version: 1.0
X-Received: by 10.152.43.99 with SMTP id v3mr9475009lal.13.1410545322327; Fri,
 12 Sep 2014 11:08:42 -0700 (PDT)
Received: by 10.25.218.204 with HTTP; Fri, 12 Sep 2014 11:08:42 -0700 (PDT)
In-Reply-To: <F005B7B2-9407-4387-826C-E0FFAFE7C8B7@ajf.me>
References: <CAF+90c_V0S6KhCLvkRZEcaQQ-Qv_oNaV9EJ_faOo9ZnVRLXQ0g@mail.gmail.com>
	<3619E7A6-6D76-498D-9082-855DAE937C1E@ajf.me>
	<F005B7B2-9407-4387-826C-E0FFAFE7C8B7@ajf.me>
Date: Fri, 12 Sep 2014 20:08:42 +0200
Message-ID: <CAF+90c_89ZyA+w6zPOgyHE_p402iM_tJTAcL0s6opCF_n1ZDZg@mail.gmail.com>
To: Andrea Faulds <ajf@ajf.me>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c34d4ce081fb0502e22c9c
Subject: Re: [PHP-DEV] Remove alternative PHP tags
From: nikita.ppv@gmail.com (Nikita Popov)

--001a11c34d4ce081fb0502e22c9c
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 10, 2014 at 3:32 AM, Andrea Faulds <ajf@ajf.me> wrote:

> I initially thought that I=E2=80=99m not really against removing them rea=
lly, but
> I think we should have a script to convert them first. Because someone,
> somewhere, is gonna need it.
>

I have added a small script for porting prehistoric tags, see
https://wiki.php.net/rfc/remove_alternative_php_tags#porting_tool

But then I=E2=80=99ve thought more about it. I=E2=80=99m usually OK with ce=
rtain BC breaks,
> I just don=E2=80=99t like this specific one. It doesn=E2=80=99t affect me=
, but, well, I
> don=E2=80=99t see the point. It doesn=E2=80=99t really help language cons=
istency or
> anything, (OK, sure, only two sets of delimeters now, but it=E2=80=99s no=
t a big
> deal like some other things are), and you=E2=80=99ll force people to upda=
te every
> file in their codebase if they=E2=80=99re affected, assuming people who u=
se
> alternative tags use them everywhere.


In the context of a recent discussion on this list about the nature of
different BC break, this is the very best BC break that is possible. It is
trivial to detect statically and it is trivial to fix statically. Nobody
needs to "update every file in their codebase" manually.


> There=E2=80=99s also a security issue here. If someone uses PHP 7 with a =
codebase
> that has these alternative tags, your code is now visible to users instea=
d
> of the output, which might include configuration details like database
> passwords or password hash salts. It=E2=80=99s also possible that people =
won=E2=80=99t
> notice this is happening if they only used these alternative tags in a fe=
w
> obscure places.
>

I am amenable to adding the asp_tags option to the
http://lxr.php.net/xref/PHP_TRUNK/main/main.c#2339 list, which will trigger
a fatal error on startup if it is enabled - that should make sure that
anyone using those is aware of the problem (we can also add it to the
deprecated list in 5.7, should we have such a release). Doesn't apply to
<script> of course.

Anyway, to me this seems like a no-brainer. Given the nature of the change
(trivial to detect + fix) this is a lot safer than pretty much all the
other BC breaks we've been talking about (like minor changes to integer
semantics). If we can't do this change, then I don't think there is
anything we *can* change.

Nikita

--001a11c34d4ce081fb0502e22c9c--