Hi Pierre,
On Mon, Mar 16, 2015 at 5:17 PM, Pierre Joye <pierre....@gmail.com> wrote:
> On Mar 16, 2015 6:46 PM, "Yasuo Ohgaki" <yohg...@ohgaki.net> wrote:
> >
> > Hi Dennis,
> >
> > On Mon, Mar 16, 2015 at 3:33 PM, Dennis Birkholz <den...@birkholz.biz>
> > wrote:
> >
> > > Am 16.03.2015 um 07:22 schrieb Yasuo Ohgaki:
> > > > Caller _must_ satisfy callee requirements. This is simple principle
> to
> > > > write a secure code.
> > > >
> > > > With this RFC, caller overrides security related setting. This means
> > > > scripts
> > > > that are prepared for type safety is "ignored" and it leads security
> > > breach.
> > >
> > > that is simply not true! The callee always gets the type it expects.
> > > There is no security problem involved here. The only difference is if
> > > type conversion rules apply or if an error is raised for a type
> mismatch.
> > >
> > > You clearly dislike the RFC (you voted no), that is OK, but don't
> scream
> > > of "security" bugs that don't exist. If they would exist, all type hint
> > > RFCs would have them in general.
> > >
> >
> > Not only Java/etc programmers but also PHP programmers will assume type
> > safety by types.
> >
> > Programmers assume integer type data is safe once it passes as integer
> type
> > parameter.
> > I'm sure PHP programmer do assume the same thing.
> >
> > I posted "bad code"
> >
> > <?php
> > function check_num_range(int $num) { if ($num < 0 || $num > 100)
> > trigger_error('Invalid range'); }
> > // Somewhere far from function definition.
> > $num = $GET['num'];
> > // Somewhere far from $num definition.
> > check_num_range($num); // Trying to check validity, int and range.
> > echo 'You have '.$num. ' now <br />'; // But $num could have any string.
> > //
> > "check_num_range((int)$num)" wouldn't help also.
> > ?>
> >
> > Caller controlled strict typing makes this worse... i.e.
> > <?php
> > declare(strict_types=1);
> > // We are safe since $num is strictly int. Callee has responsibility to
> > pass valid int . (But it's not)
> > function check_num_range(int $num) { if ($num < 0 || $num > 100)
> > trigger_error('Invalid range'); }
> > ?>
> >
> > Setting register_globals=On while callee script assumes
> > register_globals=Off is bad thing to do.
> > Similar argument applies to declare(strict_types=1) also.
> >
> > As I suggested in other thread, we are better to sit down and make
> > reasonable decision.
> > It's not religion, but technical issue. We can reach reasonable consensus
> > if we try to. If we
> > cannot, it is better to introduce weak type hint only for the time being.
>
> So basically you mixed topics and voted no for the one RFC that would
> allow what you want to do later while allowing strict hinting already.
> Accepting the other means changing casting rules again later at best. Not
> sure you did well here ;-)
>
I thought majority of us see the benefit of StrictSTH over this RFC. You're
right about it.
This RFC will have serious consequence.
We made mistake with "safe_mode". The main reason it failed is "it did not
force
caller to have responsibility to make it work as it should". This RFC does
the same
for how declare(strict_types=1) works.
Aren't we learned from "safe_mode" lessons?
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
