Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93377 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12773 invoked from network); 17 May 2016 14:34:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 May 2016 14:34:00 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.171 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.161.171 mail-yw0-f171.google.com Received: from [209.85.161.171] ([209.85.161.171:32888] helo=mail-yw0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/50-11000-7DB2B375 for ; Tue, 17 May 2016 10:33:59 -0400 Received: by mail-yw0-f171.google.com with SMTP id x194so17271691ywd.0 for ; Tue, 17 May 2016 07:33:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=KbHkZreo30iJHGg+Pl5QQ9ziJKNGj+WaVbuhAGpbyYk=; b=WSDGFHVAXTZ2yHiOhr+MbeQ6SUWqQRkj51kf06vlJV4NNZWfmy/JWhyZArWVyAsx1i LmeeOPiaxLqOtHMSSjeNQDR7QEBT+npXuxX+N2vHuv92VoeW0DN+5eSXGKPd41DZkfA6 kLZJO7Z018sGNUVYoGVkkwWnIVnRREU+iLU0X5l1LP35VPljXd5BdZAyrJWnTr/CUONt 0elfDxyGotHfKtwOTKFGwI41tshMlpCfHLTPGaxkZihq/kH5kJPMaXD9wKta2KUxtsUK A80wNW9L3XzfbMb9DlY/86vG0reqXugNa8cyFS9jn0HmxoVNVyNY/75a6lr24oqi/fJw UdBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=KbHkZreo30iJHGg+Pl5QQ9ziJKNGj+WaVbuhAGpbyYk=; b=nCVwYgN1fVPnlROUqXjWD7lybzVcoM0sS4fP8/UwyTyoLzC9GaUDvRnPiexVDwc3Jg EJ8+ufG+rD4gIhD8sgPwiGwPb1uCK3XQ8+jNVGPxQYN+Gl3wG2eRVFzk8ODov61xeRxk G2o1YMTsq4dnnYk8cSB8/8IOfN3bIZui6Zk1r8pI9d5QoEY9BT7PjpKn2NsvHYiXt99+ vieeCQHH90aEIV+OlCMjAQHqnvX9KTUnlHlgoCBiMBaNKBkYa7P2dmo98oX3A5kk3gad UP88pQwARNurWL2DX5UJ17IijbbJcP8IpAZKr8IPq0urPuGK1F9jSxhDVDvxXeUhV7zI HXgA== X-Gm-Message-State: AOPr4FVmwK5WCeH6jnu4ADUoKK7Qmb33EikKZDCt5SJLHtqIp6fuBneFt2HQpsqrXGcVMBE/Rh6sVY6hizK/Ug== MIME-Version: 1.0 X-Received: by 10.129.3.17 with SMTP id 17mr911434ywd.288.1463495636368; Tue, 17 May 2016 07:33:56 -0700 (PDT) Received: by 10.13.239.3 with HTTP; Tue, 17 May 2016 07:33:56 -0700 (PDT) In-Reply-To: References: Date: Tue, 17 May 2016 16:33:56 +0200 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary=001a1142d7be89480d05330aa1cb Subject: Re: [VOTE] Forbid dynamic calls to scope introspection functions From: nikita.ppv@gmail.com (Nikita Popov) --001a1142d7be89480d05330aa1cb Content-Type: text/plain; charset=UTF-8 On Sun, May 15, 2016 at 10:46 PM, Nikita Popov wrote: > Hi internals, > > The RFC > > https://wiki.php.net/rfc/forbid_dynamic_scope_introspection > > is now in voting. The vote closes on 2016-05-24 with a required majority > of 2/3. > > Nikita > Thanks to a comment on Reddit, I realized that the function list in the RFC is missing "assert() with a string argument" as a forbidden function. The reason is that assert() with a string is really just a different way of saying eval() -- so it will inherit the parent symbol table and may modify it. I missed this because the function was also missing from the opcache indirect var access list (remedied in [1]). I hope it's not a problem to add this case to the RFC even though it's already in voting. Nikita [1]: https://github.com/php/php-src/commit/b65b15c6f470cc3397ff7719d92cecc762c803e9 --001a1142d7be89480d05330aa1cb--