Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93490
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13591 invoked from network); 24 May 2016 18:54:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 May 2016 18:54:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.173 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.161.173 mail-yw0-f173.google.com  
Received: from [209.85.161.173] ([209.85.161.173:33693] helo=mail-yw0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 08/E4-10476-C73A4475 for <internals@lists.php.net>; Tue, 24 May 2016 14:54:53 -0400
Received: by mail-yw0-f173.google.com with SMTP id h19so25395065ywc.0
        for <internals@lists.php.net>; Tue, 24 May 2016 11:54:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to;
        bh=y+EBL5nHzlmaIBbApEDkwoaW/r+D/n9wcBX5+UMF5Gc=;
        b=u4xgihGFWOh5Q6qsP4jeRThsNvUFEcLqgcZFnseCRXMT4N9Ht1y7eGY6XPOVG3NpDj
         szjPqzaFMQ7prVV9MxhXP4p1aVdewOJJWr6nhy9As4JgtVwXfSKm+B4hm+0UYqv5a1pE
         CFbRqy1PmtmA17DbNVDIKwDDplXKGBporwpno6MWmh8az7+X/tDADeDZyP35TT7ubYDw
         IJKVmovoOM8ZDHA1xBtGt2yJmFWnHdJUfsQ+BSvEE8FQYt7XloaiszXm3NBJkhDmQru0
         DBvBSjNi0vRWbpx5e4ymyh0aDoNmPIA4nt3wQUKR0uBCuYW+CwhpUHy/qjmCAUoCN0Rf
         19dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to;
        bh=y+EBL5nHzlmaIBbApEDkwoaW/r+D/n9wcBX5+UMF5Gc=;
        b=FFKs+g09AjcsDc2nFpoFgbTWfQtW0zXJx78SCn8I790KrJiMDPo9PnnOKrwMfXoXtM
         aA/4YEJ/dP16tObx0XoN0hfPtrv87Nzp8sooZOnaYXSbIL1erlHzWAEQZwMoib8cI4KK
         AjTpKWuMUSRblQh59HrMXQgfa9IVdJaeS0mn6GFQpq1RCYSvP2K0/e2H0LkmpnDXhALM
         qopslpUvRbLSuq+NckXl/vw19u9VoZKuPcs6ev9Yz6xcyt4zhiPtRRQoDCLsruOD6GOl
         nYA9vSIxAW74+hGBKpeBbxFHFJtm7Y2Yo80o+NNurd4BanQKXZQrrAyPfRD5N/8u0aUZ
         nqJQ==
X-Gm-Message-State: ALyK8tJKpYgMhPSy+YyjGduV+OJp7iA1bZXx5/SomWTTqRwAfR/HlZA9Z4R1tmWr3kIWHLb7EeaLlzQaqwU39Q==
MIME-Version: 1.0
X-Received: by 10.129.121.6 with SMTP id u6mr3510259ywc.55.1464116090419; Tue,
 24 May 2016 11:54:50 -0700 (PDT)
Received: by 10.13.239.3 with HTTP; Tue, 24 May 2016 11:54:50 -0700 (PDT)
In-Reply-To: <CAF+90c_EPx-zq37W+Oj++pALZHAKYFRBY7vdoLFZVAtQDm2DeA@mail.gmail.com>
References: <CAF+90c-xkT6G0yYHOBZ8vGpdxMNvNsu11CSQoiPwjDqB+EtsVw@mail.gmail.com>
	<CAF+90c_EPx-zq37W+Oj++pALZHAKYFRBY7vdoLFZVAtQDm2DeA@mail.gmail.com>
Date: Tue, 24 May 2016 20:54:50 +0200
Message-ID: <CAF+90c-n5+8APiPa+YkZuopuJcMKSkW2Pdp96EbuQ8MiQBRNLQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c0a87567abee205339b1788
Subject: Re: [VOTE] Forbid dynamic calls to scope introspection functions
From: nikita.ppv@gmail.com (Nikita Popov)

--94eb2c0a87567abee205339b1788
Content-Type: text/plain; charset=UTF-8

On Tue, May 17, 2016 at 4:33 PM, Nikita Popov <nikita.ppv@gmail.com> wrote:

> On Sun, May 15, 2016 at 10:46 PM, Nikita Popov <nikita.ppv@gmail.com>
> wrote:
>
>> Hi internals,
>>
>> The RFC
>>
>>     https://wiki.php.net/rfc/forbid_dynamic_scope_introspection
>>
>> is now in voting. The vote closes on 2016-05-24 with a required majority
>> of 2/3.
>>
>> Nikita
>>
>
> Thanks to a comment on Reddit, I realized that the function list in the
> RFC is missing "assert() with a string argument" as a forbidden function.
> The reason is that assert() with a string is really just a different way of
> saying eval() -- so it will inherit the parent symbol table and may modify
> it. I missed this because the function was also missing from the opcache
> indirect var access list (remedied in [1]).
>
> I hope it's not a problem to add this case to the RFC even though it's
> already in voting.
>
> Nikita
>
> [1]:
> https://github.com/php/php-src/commit/b65b15c6f470cc3397ff7719d92cecc762c803e9
>

The RFC has been accepted with 39 votes in favor and one against. The
implementation has landed in [1]. As mentioned previously, assert() with a
string argument (aka eval) is also part of the final implementation.

Nikita

[1]:
https://github.com/php/php-src/commit/91f5940329fede8a26b64e99d4d6d858fe8654cc

--94eb2c0a87567abee205339b1788--