Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90942
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 45858 invoked from network); 26 Jan 2016 18:35:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2016 18:35:55 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.44 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 74.125.82.44 mail-wm0-f44.google.com  
Received: from [74.125.82.44] ([74.125.82.44:38692] helo=mail-wm0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 61/E8-10534-98CB7A65 for <internals@lists.php.net>; Tue, 26 Jan 2016 13:35:54 -0500
Received: by mail-wm0-f44.google.com with SMTP id b14so145717046wmb.1
        for <internals@lists.php.net>; Tue, 26 Jan 2016 10:35:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=zALzKNNxaD6XcAgHNWyat2CSxoMMGISw8YLWfp6q30o=;
        b=xbxi+SRG18aGOr/OdK/owpqczlrH4NzEDsvGufZBBvk5pICvoeAKoOUbiJrlHO3mhI
         JbRlRh9tYJbZeVDD3NqK6ZCmnoGVEu1s4XXnizi8K172aImymP8C2uu5Iz8Mk0cvQNxj
         dODr2QP8mYL3myc2Aw6PCsQH4ihMqbEWxURJHFnKjuN92m1WfECUnCoFstAwVyhK73Gn
         Dx2ZpvNIeG6mkLEjR02adNw1LBq09fviESTibPyP0fwpVqOkX0mLp3lxRlGkKpX2y53l
         VXp7pCKVhXAC58//fZ/cbp96ytG0+LtVLiAdpNIrVA59WUu2KRkfrbBtm3yEZ7VFdsny
         p6Mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=zALzKNNxaD6XcAgHNWyat2CSxoMMGISw8YLWfp6q30o=;
        b=RRaaLXUgsx2xmHzhS9p3YRgBa6EX/d9AUeFC2HBO6BE1L4ABHEFHTc09Zrw5VTzhT8
         rX+FchKDJT0G430kBTvzzSBE49mUWRCuKFIw/vhXMXJMl0mFTKQisrjeAdPSsx16pb7G
         2YQ6QJJoEC70Bs3GcbdLNGrooDUlMr/NDLdxTST5SkknjIr9iPj58+oH+MBRjDFPsuQe
         pK6taDvwbKaj/jO5qbF/xpSMYYYjarzxZsb8GZ1KOIsptRdBVnRdgfqBZpWydQcZWNID
         bd9z+LLb85XG0x9PJKmd8fLPPR+iMZYHmGlPUtI47KWwwp/1Li+/CYbddhUhtejHm4DF
         Wikg==
X-Gm-Message-State: AG10YOQtWQ774udzttTQxwInBxRmhxQMFDXoAa9WQqTrH+pZFS7zzCMy1TMTCOi+HDM5EkCzJlGqcyn7S21SZg==
MIME-Version: 1.0
X-Received: by 10.194.19.138 with SMTP id f10mr10213474wje.108.1453833350633;
 Tue, 26 Jan 2016 10:35:50 -0800 (PST)
Sender: tyra3l@gmail.com
Received: by 10.27.86.202 with HTTP; Tue, 26 Jan 2016 10:35:50 -0800 (PST)
In-Reply-To: <CAEZPtU4v1Qm2AzBZcjbMdpgwRh+2o6ZqcV5yT-ov+QkFEH8j_g@mail.gmail.com>
References: <03a501d15439$fcbf9ca0$f63ed5e0$@php.net>
	<56A1054A.5080102@fedoraproject.org>
	<CAGa2bXbavNd3H3+c_ASOBH6O6LoaBsj52pxPZmjTKZyssup7gw@mail.gmail.com>
	<CAEZPtU4v1Qm2AzBZcjbMdpgwRh+2o6ZqcV5yT-ov+QkFEH8j_g@mail.gmail.com>
Date: Tue, 26 Jan 2016 19:35:50 +0100
X-Google-Sender-Auth: J_mjJtqoTkB4p4qZnQ_PkNcQWh0
Message-ID: <CAH-PCH4msLtH4CM57HQzfoCsWCoDirfO2XZ2v=prym8UAY+rGQ@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, PHP internals <internals@lists.php.net>, 
	julien pauli <jpauli@php.net>, Remi Collet <remi@fedoraproject.org>
Content-Type: multipart/alternative; boundary=047d7b5d2d286d7492052a40f424
Subject: Re: [PHP-DEV] PHP 7.0.3 RC1 is available for testing - **** BC break ***
From: tyrael@php.net (Ferenc Kovacs)

--047d7b5d2d286d7492052a40f424
Content-Type: text/plain; charset=UTF-8

>
>
> > This is added because when session cannot be started, then it should
> fail.
> > This fix is related to https://bugs.php.net/bug.php?id=71243
> > The php_session_abort() is not directly related to this bug, but this
> (and
> > other fixes) is added because session_start() returns TRUE even when it
> fails/
> > should fail.
> >
> > Note: PHP 5.6's session_start() return value fix is not perfect to keep
> > save handler compatibility which is a big one. PHP7 should return FALSE
> > for session_start() failures always by the fix.
> >
> > Fixing the broken test should be just removing the php_session_abort()
> from
> > php_session_cache_limiter().
>
> Fixing broken tests most likely mean BC will remain which is not so good.
>
you probably meant BC *break* will remain which I agree that isn't good.


> I understand the overall goal to improve session security but this is an
> area that has behaved this way for years. I am totally convinced that such
> big changes should have (or should) in stable branches, be 7.0 or 5.6.
> Especially because testing these changes take time.
>
I have to look through the changes and the original bugreport which
warranted this change but my gut feeling is that this shouldn't be changed
in a micro version and Yasuo even changed/fixed a handful of tests together
of the code changes, so the potential impact could be even bigger than what
Remi spotted with their CI pipeline.

--047d7b5d2d286d7492052a40f424--