On 26 February 2019 13:26:24 GMT+00:00, Nikita Popov <nikita....@gmail.com> wrote: >I'm mentioning this, because it is a precedent for tweaking the string >to >string numeric comparison rules to prevent unexpected and possibly >security >critical equalities. I think we could add similar special handling for >the >"0eNNNN" == "0eMMMM" case, as this is another "catastrophic" case when >it >comes to comparisons of hashes that happen to start with 0e, for >example.
That makes sense. Personally, I find the treatment of strings in this e-notation problematic in all contexts - it makes is_numeric() much less useful for validation, for instance - but realise we have to balance compatibility here. >It might be better to discuss such a change separately from this >proposal >though (it's much more minor, and something that can also conceivable >go >into a minor version, given that the previous change was applied in a >patch >release). I think keeping it to a separate RFC is fine, but it would be nice to target the same release. "We've made == safer" is something that we can shout about, even if it's composed of a bunch of small tweaks. It also gives one upgrade where people need to look for subtle breaks, rather than two. Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
