Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit

--- SSL/TLS security progress update --- All previously discussed aspects of secure-by-default stream encryption are now implemented and tested. There are some other significant improvements including but not limited to full TLSv1.1+TLSv1.2 support and simplified peer fingerprint verification. As

Re: [PHP-DEV] Re: Question on XMLReader

Well, fine then. I'm trying to understand the mechanics behind XMLReader::next() and XMLReader::read() Given an XML file like this: $library = ' Of Mice and Men A Tale of Two Cities '; $XMLdoc = XMLReader::XML($library); It seems to me that the XMLReader

[PHP-DEV] Failing builds on Travis

Hi, The success of builds on Travis seems to hinge on a particular test case: ext/standard/tests/file/disk_free_space_basic.phpt It asserts that if a file is written to, the free space after the write must always be lower than the previously recorded value. On a busy system the free space is af

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

> Under normal circumstances, entering elevator or tunnel would not loose  > session ID most likely since lost connection would not loose session ID.  > When end-users simply lost their connection, IP address wouldn't change. There's good reason to believe that the "event" of being assigned a new

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

Hi Standord, On Fri, Sep 27, 2013 at 9:45 AM, Sanford Whiteman < swhitemanlistens-softw...@cypressintegrated.com> wrote: > > When URL based session is used, this feature should be > > disabled as pages are cached by browsers. > > OK, I suppose, but that seems to be an edgier case than what we're

Re: [PHP-DEV] [RFC] Escaping RFC for PHP Core - Updates?

Hi, On Sun, Sep 8, 2013 at 1:43 AM, Levi Morrison wrote: > You have a flawed understanding of good functional design. Instead of > directly calling the escaping function you would simply ask for a callable > and pass in the escaping function. Thus, you could use an alternative > escaping function

Re: [PHP-DEV] [RFC] Escaping RFC for PHP Core - Updates?

Hi, On Sun, Sep 8, 2013 at 1:36 AM, Nikita Nefedov wrote: > On Sat, 07 Sep 2013 20:08:45 +0400, Michael John Burgess < > mich...@mjburgess.co.uk> wrote: > > On 07/09/2013 15:41, Levi Morrison wrote: >> >>> It looks nicer than Escaper::escapeJs(), Escaper::escapeHtml(), etc. Any commen

Re: [PHP-DEV] [RFC] Escaping RFC for PHP Core - Updates?

Hi Pierre, On Sat, Sep 7, 2013 at 5:51 PM, Pierre Joye wrote: > I like the goal of this proposal. > > It would however fits much better in ext/filter. Yes, escaping has > different purposes than filtering. > > I have some worries about the implementation. It is not an easy task and > some extern

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

> When URL based session is used, this feature should be > disabled as pages are cached by browsers. OK, I suppose, but that seems to be an edgier case than what we're already discussing. > BTW, if connection is unstable and an app force user to logout, > is it going to be a problem? It would dep

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

Hi Sanford, On Fri, Sep 27, 2013 at 7:57 AM, Sanford Whiteman < swhitemanlistens-softw...@cypressintegrated.com> wrote: > > Users who are concerned for this situation should disable it. Users > > who are concerned security should accept this case. > > I assume "users" are as we understand them he

Re: [PHP-DEV] PR 287 - added use_keys argument to array_filter() [Discussion]

On Thu, Sep 26, 2013 at 7:33 PM, Tjerk Meesters wrote: > > > > I didn't quite understand how the current implementation would have BC > issues, though. Would you care to elaborate on that? > > > I didn't look at your actual implementation. I saw 3 constants and deduced that one would be required.

Re: [PHP-DEV] PR 287 - added use_keys argument to array_filter() [Discussion]

On Fri, Sep 27, 2013 at 7:11 AM, Sherif Ramadan wrote: > > > > On Thu, Sep 26, 2013 at 6:51 PM, Tjerk Meesters > wrote: > >> >> >> I deliberately chose these values so that I can simply specify `true` to >> mean pass both values. Bit masks seem cumbersome in this situation. >> >> > > The default

Re: [PHP-DEV] PR 287 - added use_keys argument to array_filter() [Discussion]

On Thu, Sep 26, 2013 at 6:51 PM, Tjerk Meesters wrote: > > > I deliberately chose these values so that I can simply specify `true` to > mean pass both values. Bit masks seem cumbersome in this situation. > > The default behavior is already to pass the value to the callback. Requiring the argument

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

> Users who are concerned for this situation should disable it. Users > who are concerned security should accept this case. I assume "users" are as we understand them here, i.e. me. But as a developer-user I would likely want to empower my end-users to turn off this feature themselves. With high-

Re: [PHP-DEV] PR 287 - added use_keys argument to array_filter() [Discussion]

Hi, On 27 Sep, 2013, at 12:31 AM, Andrea Faulds wrote: > On 26/09/2013 05:42, Tjerk Meesters wrote: >> Hi, >> >> I've updated my patch to allow a range of values to be passed as the third >> argument: pass key, pass value or pass both. >> >> Instead of using OR-able constants, I went with an e

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

> Let's be clear here: this won't happen (in most cases), because the client > will simply get a new cookie and the session will keep working; it's like > what you would implement if your user level goes from anonymous to logged > in and vice versa. I'm glad you addressed this because I'd been thi

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

Hi Tjerk, On Thu, Sep 26, 2013 at 7:32 PM, Tjerk Meesters wrote: > >> Many people still have dynamic IP addresses for their home connections, >> but >> the group who would suffer the most would be mobile users. It's pretty >> frustrating to use most sites with a phone as it is, without being kick

[PHP-DEV] __construct is like a normal method but without E_STRICT

Heya I would like to have some opinions on the topic inconsistency between methods and __construct See the following code: class A { function __construct($a) {} function foo($a) {} } class B extends A { function __construct($a, $b) {}

Re: [PHP-DEV] RFC: Anonymous Classes

On Thu, Sep 26, 2013 at 5:59 PM, Joe Watkins wrote: > Ok, I included just about all the information on use cases that is obvious > or has been discussed, so I think we got use cases covered now, right ?? > > See a good one yet ?? > > > Cheers > Joe Wondering about scoping. Yes, anonymous classes

Re: [PHP-DEV] PR 287 - added use_keys argument to array_filter() [Discussion]

On 26/09/2013 05:42, Tjerk Meesters wrote: Hi, I've updated my patch to allow a range of values to be passed as the third argument: pass key, pass value or pass both. Instead of using OR-able constants, I went with an enumeration type because there are only going to be three options; it just fe

Re: [PHP-DEV] RFC: Anonymous Classes

On 09/26/2013 01:00 PM, Pierre Joye wrote: On Sep 26, 2013 10:35 AM, "Joe Watkins" wrote: Thanks ... I have made many changes to the RFC and patch since the beginning of this discussion ... It might be useful if you could all now go back to the RFC for another read, point out anythi

Re: [PHP-DEV] Gnu/Hurd support

On 9/26/13 7:22 AM, Lior Kaplan wrote: Hi, In Debian we build PHP for GNU/Hurd system, which need some minor fixes available here: http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/patches/116-posixness_fix.patch (per the guidelines here: http://www.gnu.org/software/hurd/hu

[PHP-DEV] Gnu/Hurd support

Hi, In Debian we build PHP for GNU/Hurd system, which need some minor fixes available here: http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/patches/116-posixness_fix.patch (per the guidelines here: http://www.gnu.org/software/hurd/hurd/porting/guidelines.html#PATH_MAX_tt_MAX_

Re: [PHP-DEV] RFC: Anonymous Classes

Am 26.09.2013 12:16 schrieb "Joe Watkins" : > For the following reasons the syntax should remain as it is: > > It is consistent with anonymous function calls - args after definition ... I think it is exceedingly rare for anynomous functions to be called at their point of definition, while

Re: [PHP-DEV] RFC: Anonymous Classes

On Sep 26, 2013 10:35 AM, "Joe Watkins" wrote: > >> > > Thanks ... > > I have made many changes to the RFC and patch since the beginning of this discussion ... > > It might be useful if you could all now go back to the RFC for another read, point out anything I've left unclear at this point. I s

Re: [PHP-DEV] RFC: Anonymous Classes

On 09/26/2013 11:38 AM, Lazare Inepologlou wrote: 2013/9/26 Joe Watkins On 09/26/2013 01:50 AM, Pierre Joye wrote: hi! On Sun, Sep 22, 2013 at 11:39 PM, Joe Watkins wrote: Morning All, https://wiki.php.net/rfc/**anonymous_classes I'd like to

Re: [PHP-DEV] RFC: Anonymous Classes

2013/9/26 Joe Watkins > On 09/26/2013 01:50 AM, Pierre Joye wrote: > >> hi! >> >> On Sun, Sep 22, 2013 at 11:39 PM, Joe Watkins wrote: >> >>> Morning All, >>> >>> https://wiki.php.net/rfc/**anonymous_classes >>> >>> I'd like to hear thoughts regarding

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

Hi, On Thu, Sep 26, 2013 at 6:19 PM, Leigh wrote: > On Sep 24, 2013 3:43 AM, "Laruence" wrote: > > > > I don't think this is language concerning issue. > > > > it could be done in user script.. > > > > thanks > > I agree entirely with Laurence (and others). This shouldn't be a core > feature.

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

On Sep 24, 2013 3:43 AM, "Laruence" wrote: > > I don't think this is language concerning issue. > > it could be done in user script.. > > thanks I agree entirely with Laurence (and others). This shouldn't be a core feature. It's not one size fits all. There's several scenarios where a users IP c

Re: [PHP-DEV] RFC: Anonymous Classes

On 09/26/2013 10:28 AM, Nicolas Grekas wrote: I think what Terence was talking about is more like this: class A { } class AProxifier { protected function protectedMethod() {...} function getAProxy() { return new class extends A { /* How do you call AProxifier->protected

Re: [PHP-DEV] RFC: Anonymous Classes

Am 26.09.2013 11:29 schrieb "Nicolas Grekas" : > Btw, I can't get used to ($val) beeing at the end of the declaration. I > feel it very confusing. I feel the same. Couldn't this (constructor arguments) be moved? $that = new class(/* constructor args */) /* extends X implements Y */ { ... class bo

Re: [PHP-DEV] RFC: Anonymous Classes

I think what Terence was talking about is more like this: class A { } class AProxifier { protected function protectedMethod() {...} function getAProxy() { return new class extends A { /* How do you call AProxifier->protectedMethod() here? */ }; } } This is possible with

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

On Tue, Sep 24, 2013 at 4:29 AM, Yasuo Ohgaki wrote: > Hi all, > > There isn't any good counter measure session hijack. > However, we can regenerate session ID if IP address has changed. > Hijacked users might notice that they have been logged out if session > ID is regenerated by attackers. Ther

Re: [PHP-DEV] RFC: Anonymous Classes

On 09/26/2013 01:50 AM, Pierre Joye wrote: hi! On Sun, Sep 22, 2013 at 11:39 PM, Joe Watkins wrote: Morning All, https://wiki.php.net/rfc/anonymous_classes I'd like to hear thoughts regarding the addition of anonymous classes, patch included. Thanks for your proposal and work. If you did