On Tue, Sep 20, 2011 at 11:54 PM, Alan Knowles <a...@akbkhome.com> wrote: > Let's try and close this one. > > https://bugs.php.net/bug.php?id=55475 > > I've just added a patch that adds is_class_of(), which is identical to > is_subclass_of, and has the new feature of supporting strings and using the > autoloader. > > It then reverts is_a() back to the previous behavior, and clarifies the > documentation. > > This solves the BC issues, and also solves potential security issues with > existing code accidentally passing $url's to the autoloader, and gives > anyone who needs this new behavior a solution. > > Let's at least try and respect the new release RFC, and our users who > appreciate PHP's efforts over the years to try and maintain BC. (it's one of > it's few advantages these days...) >
Hi Alan, As it was mentioned before, the main reason to not revert back to the old behavior is to not break BC once again (it shouldn't have happened in the first place, but we can't change that. :()- The security implications was never brought up though, but I think that it is plausible, that there are people out there without suhosin, having allow_url_include enabled, and using a vulnerable autoloader (the PSR-0 reference implementation is vulnerable for example), so maybe it is worth discussing. -- Ferenc Kovács @Tyr43l - http://tyrael.hu -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
