Here are my cents to this RFC, as it just keeps popping in in my inbox and its
beginning to be one that I wish I could ignore.
First, … file extensions? A default Apache configuration and some Nginx
configurations actually accept more than one file extension. This RFC does not
include any way t
Yasuo Ohgaki in php.internals (Wed, 25 Feb 2015 07:54:01 +0900):
>On Wed, Feb 25, 2015 at 7:26 AM, Stanislav Malyshev
>wrote:
>
>> > No other languages have such malware.
>>
>> Are you seriously claiming there is no malware written in languages
>> besides PHP? It can not be, I must be misunderstan
Hi all,
I would like to start voting. The last open issue is vote type
50%+1 or 2/3?
I feel this RFC is somewhere between 50%+1 and 2/3.
Any comment?
I'll start the vote by using "2/3" rule from tomorrow morning
(JST, About 12 hours later from now) if there is no comment
for vote type.
Regards
On 25/02/15 00:38, Dan Ackroyd wrote:
> As soon as you have any possibility of including a file uploaded by an
> attacker, you are probably going to lose.
I think that this is perhaps the key here.
My framework for new sites requires a user to log in before they can
upload anything. So if your man
Hi Kevin,
On Wed, Feb 25, 2015 at 5:18 PM, Kevin Ingwersen (Ingwie Phoenix) <
ingwie2...@googlemail.com> wrote:
> Here are my cents to this RFC, as it just keeps popping in in my inbox and
> its beginning to be one that I wish I could ignore.
>
> First, … file extensions? A default Apache configu
> -Original Message> From: Leigh [mailto:lei...@gmail.com]
> Sent: Tuesday, February 24, 2015 2:56 PM
> To: Albert Casademont Filella
> Cc: Benjamin Eberlei; PHP Internals
> Subject: Re: [PHP-DEV] The Game Theory of Scalar Type Hint Voting
>
> On 23 February 2015 at 21:15, Albert Casademont
Hi all,
On Wed, Feb 25, 2015 at 5:58 PM, Lester Caine wrote:
> > As soon as you have any possibility of including a file uploaded by an
> > attacker, you are probably going to lose.
>
> I think that this is perhaps the key here.
I thought it's rather obvious how this RFC works, but apparently
On Wed, Feb 25, 2015 at 10:09 AM, Zeev Suraski wrote:
>> -Original Message> From: Leigh [mailto:lei...@gmail.com]
>> Sent: Tuesday, February 24, 2015 2:56 PM
>> To: Albert Casademont Filella
>> Cc: Benjamin Eberlei; PHP Internals
>> Subject: Re: [PHP-DEV] The Game Theory of Scalar Type Hin
On Sun, 22 Feb 2015, Nikita Popov wrote:
> I would like to propose reclassifying our few existing E_STRICT
> notices and removing this error category:
>
> https://wiki.php.net/rfc/reclassify_e_strict
>
> As we don't really have good guidelines on when which type of error
> should be thrown
On Tue, 24 Feb 2015, Yasuo Ohgaki wrote:
> On Tue, Feb 24, 2015 at 4:48 PM, Alexander Lisachenko <
> lisachenko...@gmail.com> wrote:
>
> > There is a draft for that: https://wiki.php.net/rfc/case-sensitivity
> > (mostly empty), so I decided to ask this question in the internals
> > mail list.
>
Hi Jan,
On Wed, Feb 25, 2015 at 5:31 PM, Jan Ehrhardt wrote:
> Google for "java malware" and you'll find things like
>
> http://www.javaworld.com/article/2104862/java-security/report-half-of-all-exploits-target-java.html
>
Thank you for the info.
We are talking about "image based malware".
I'm
Hi Kevin,
On Wed, Feb 25, 2015 at 6:08 PM, Yasuo Ohgaki wrote:
> Your PHP code is only so secure as you make it. If you are in need for
>> such an RFC just to block a few „rare cases“, then I would rather suggest
>> you to either check your source or hand it to a professional to get it
>> counte
On 25/02/15 09:14, Yasuo Ohgaki wrote:
> Hi all,
>
> On Wed, Feb 25, 2015 at 5:58 PM, Lester Caine wrote:
>
>>> As soon as you have any possibility of including a file uploaded by an
>>> attacker, you are probably going to lose.
>>
>> I think that this is perhaps the key here.
>
>
> I thought
On 25/02/15 09:40, Derick Rethans wrote:
> To be really honest, I don't think all of the pro's hold up. For a hash
> check, there is no change really - the only change that is to remove the
> zend_tolower. Previous discussions have IIRC shown that the performance
> benefit is minimal. Compatibil
Hi Lester,
On Wed, Feb 25, 2015 at 6:52 PM, Lester Caine wrote:
> Totally understand what you are trying to do, and if the users you are
> trying to protect actually downloaded PHP direct from the PHP site it
> may stand a chance of actually doing that, but it's adding restrictions
> that WILL b
2015-02-24 17:36 GMT+01:00 Benjamin Eberlei :
> Hi,
>
> On Tue, Feb 24, 2015 at 5:17 PM, Thomas Gielfeldt
> wrote:
>
>> Hi internals.
>>
>> I've made PR proposing a feature request: A new interface Sortable.
>>
>> https://github.com/php/php-src/pull/1116
>>
>> If possible, I would like to create
On 25 February 2015 at 09:09, Zeev Suraski wrote:
> Leigh,
>
> There isn't a weak-only proposal on the table. There's the original one
> (dual mode) and the coercive one. Both have both strict and dynamic
> elements in them.
> I think that what Anthony proposed about a week or so ago, of having
2015-02-25 13:21 GMT+03:00 Thomas Gielfeldt :
> I have some more proposals for how to implement this interface. Should we
> create an RFC for purposes of discussion, or do you usually do this in the
> mailing lists?
>
Best interface is described by the one single method: sort() that accepts
opti
2015-02-25 11:31 GMT+01:00 Alexander Lisachenko :
>
> 2015-02-25 13:21 GMT+03:00 Thomas Gielfeldt :
>
>> I have some more proposals for how to implement this interface. Should we
>> create an RFC for purposes of discussion, or do you usually do this in the
>> mailing lists?
>>
>
>
> Best interface
Hi Benjamin,
On Tue, Feb 24, 2015 at 1:43 AM, Benjamin Eberlei
wrote:
> with two competing RFCs (has this ever happend before?
There will be another one. DbC.
We will have vote only RFC for 2 competing RFCs if we have
DbC or not, then chose DbC by definition or annotation.
Anyway, Zeev's prop
On 25 February 2015 at 10:43, Yasuo Ohgaki wrote:
> Anyway, Zeev's proposal is much better. IMHO. Since we don't
> have RFC owner for older proposal, we may only have vote for
> Zeev's proposal.
Did I miss something? Pretty sure Anthony is still owning the proposal
he has put forward.
--
PHP In
2015-02-25 13:37 GMT+03:00 Thomas Gielfeldt :
> Yeah, but the "problem" with this, is that your class' sort method, you
> have to implement all the possible permutations the flags can produce. This
> basically just squeezes the 11 functions into 1. The 1 interface with
> sort() and usort() splits
Hey:
On Tue, Feb 24, 2015 at 12:06 AM, François Laupretre wrote:
> Hi,
>
> Starting the vote for https://wiki.php.net/rfc/array-to-string.
>
> Please note that, while the initial RFC proposed both options of either
> fully supporting the feature, or disabling it, the voting choices are now :
>
>
Hi all,
Am 25.02.2015 um 10:09 schrieb Zeev Suraski:
> I think that what Anthony proposed about a week or so ago, of having both
> votes, and if both pass 2/3 - have another vote to choose between them
> (where a simple majority wins) - makes the most sense in this uncharted
> territory.
but that
2015-02-25 12:15 GMT+01:00 Alexander Lisachenko :
>
> 2015-02-25 13:37 GMT+03:00 Thomas Gielfeldt :
>
>> Yeah, but the "problem" with this, is that your class' sort method, you
>> have to implement all the possible permutations the flags can produce. This
>> basically just squeezes the 11 function
Yep, that's what I suggested but Leigh did see a competitive advantage for
weak-type hints in any case because if strict won we would have weak hints
too if I didn't use the declare option. I can see that point even though it
was not made at all with the intention of favouring weak vs strict, I
rea
Le 11/02/2015 21:50, Marcio Almada a écrit :
Since no new discussion topics appeared, the voting on the Group Use
Declarations RFC for PHP7 is now open:
Hi,
We've discussed this RFC with other people of AFUP, and even though
there have been quite a few mails exchanged, I'm sorry to say we di
One thing to consider when annotations are classes is whether using an
annotation should make the annotated class depend on the annotation
classes it uses. In other words, would a missing annotation class
produce an error? It doesn't in Java (at runtime, see
http://stackoverflow.com/a/3567969) and
On 25/02/15 11:23, Dennis Birkholz wrote:
> Or you could create a three-way vote, both proposals together need 2/3
> majority over no-votes and the proposals that gets more than the other
> is chosen.
Even that simplifies things perhaps a little too much?
The questions as I see them are ...
Scal
Hi Anthony,
Few notes:
- first of all, it would be great to split the voting questions: 2/3 -
implement scalar type hinting + 1/2 - in addition add strict type hinting
as you propose. I think, the concept of run-time declare() switch is not
designed well. It just affects VM and JITed code in nega
Hey:
On Tue, Feb 24, 2015 at 2:27 AM, Marc Bennewitz wrote:
> Hi Dimitry,
>
> Am 19.02.2015 um 16:13 schrieb Dmitry Stogov:
>>
>> Hi Nikita,
>>
>> I refactored your implementation: https://github.com/php/php-src/pull/1095
>>
>> I introduced a class hierarchy to minimize effect on existing code.
>
anyone may tell, what this will print without running :)
main.php
a.php
=
b.php
=
Thank. Dmitry.
On Wed, Feb 25, 2015 at 3:19 PM, Dmitry Stogov wrote:
> Hi Anthony,
>
> Few notes:
>
> - first of all, it would be great to split the voting questions: 2/3 -
> implement scala
Hi,
Le 25 févr. 2015 13:31, "Dmitry Stogov" a écrit :
>
> anyone may tell, what this will print without running :)
>
> main.php
>
> declare(strict_types=1)
> include "a.php";
> include "b.php";
> var_dump(foo("5"));
> ?>
>
> a.php
> =
> declare(strict_types=0)
> function foo(string
On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov wrote:
anyone may tell, what this will print without running :)
main.php
a.php
=
b.php
=
Thank. Dmitry.
Hi Dmitry,
This will error out because $a in the scope of `foo` will be coerced to
int type when passed to bar
On Wed, 25 Feb 2015 15:42:11 +0400, Niktia Nefedov
wrote:
On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov
wrote:
anyone may tell, what this will print without running :)
main.php
a.php
=
b.php
=
Thank. Dmitry.
Hi Dmitry,
This will error out because $a in the
On Wed, Feb 25, 2015 at 4:30 AM, Dmitry Stogov wrote:
> anyone may tell, what this will print without running :)
>
> main.php
>
> declare(strict_types=1)
> include "a.php";
> include "b.php";
> var_dump(foo("5"));
> ?>
>
> a.php
> =
> declare(strict_types=0)
> function foo(string $
On Wed, Feb 25, 2015 at 2:42 PM, Niktia Nefedov wrote:
> On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov wrote:
>
> anyone may tell, what this will print without running :)
>>
>> main.php
>>
>> > declare(strict_types=1)
>> include "a.php";
>> include "b.php";
>> var_dump(foo("5"));
>
On Wed, Feb 25, 2015 at 3:54 PM, Shashank Kumar
wrote:
> On Wed, Feb 25, 2015 at 4:30 AM, Dmitry Stogov wrote:
>
>> anyone may tell, what this will print without running :)
>>
>> main.php
>>
>> > declare(strict_types=1)
>> include "a.php";
>> include "b.php";
>> var_dump(foo("5"));
>> ?
Hi Lester,
Am 25.02.2015 um 12:48 schrieb Lester Caine:
> On 25/02/15 11:23, Dennis Birkholz wrote:
>> Or you could create a three-way vote, both proposals together need 2/3
>> majority over no-votes and the proposals that gets more than the other
>> is chosen.
>
> Even that simplifies things per
On Wed, 25 Feb 2015 16:55:57 +0400, Dmitry Stogov wrote:
On Wed, Feb 25, 2015 at 2:42 PM, Niktia Nefedov
wrote:
On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov
wrote:
anyone may tell, what this will print without running :)
main.php
a.php
=
b.php
=
Thank. Dm
Tony Marston wrote on 21/02/2015 10:08:
""Nikita Nefedov"" wrote in message news:op.xuco5eutc9evq2@nikita-pc...
On Fri, 20 Feb 2015 12:39:33 +0300, Tony Marston
wrote:
I disagree. Exceptions were originally invented to solve the
semipredicate problem which only exists with procedural func
On Fri, Feb 20, 2015 at 8:01 AM, Yasuo Ohgaki wrote:
> Hi all,
>
> On Fri, Feb 20, 2015 at 12:14 AM, Trevor Suarez wrote:
>
>> I think that naming the new parent exception something like "Throwable" or
>> "Catchable" (as Nikita previously suggested) would be a bit more concise in
>> meaning than
On Wed, Feb 25, 2015 at 3:15 PM, Niktia Nefedov wrote:
> On Wed, 25 Feb 2015 16:55:57 +0400, Dmitry Stogov
> wrote:
>
>
>
> On Wed, Feb 25, 2015 at 2:42 PM, Niktia Nefedov
> wrote:
>
>> On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov
>> wrote:
>>
>> anyone may tell, what this will print wi
On 25/02/15 13:19, Rowan Collins wrote:
>>> Tony, first of all - this still breaks BC, because exception is being
>>> thrown in a place where it used not to be...
>>
>> I disagree. The following function calls would not throw exceptions
>>fopen(...);
>>fwrite(...);
>>fclose(...);
>>
>>
On Wed, Feb 25, 2015 at 4:19 PM, Rowan Collins
wrote:
> Tony Marston wrote on 21/02/2015 10:08:
>
>> ""Nikita Nefedov"" wrote in message news:op.xuco5eutc9evq2@nikita-pc...
>>
>>>
>>> On Fri, 20 Feb 2015 12:39:33 +0300, Tony Marston <
>>> tonymars...@hotmail.com> wrote:
>>>
I disagree.
Dmitry,
On Wed, Feb 25, 2015 at 7:19 AM, Dmitry Stogov wrote:
> Hi Anthony,
>
> Few notes:
>
> - first of all, it would be great to split the voting questions: 2/3 -
> implement scalar type hinting + 1/2 - in addition add strict type hinting as
I've mentioned this a few times, but I disagree wit
Yasuo Ohgaki in php.internals (Wed, 25 Feb 2015 19:07:05 +0900):
>I understand people do all kinds of things.
>Therefore, I'm allowing
>
>ini_set('zend.script_extension', ''); // Disable protections at all.
>
>It's users choice if they use systematically secure configuration or not.
>However, provi
Dmitry:
On Wed, Feb 25, 2015 at 7:55 AM, Dmitry Stogov wrote:
> On Wed, Feb 25, 2015 at 2:42 PM, Niktia Nefedov wrote:
>
>> On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov wrote:
>>
>> anyone may tell, what this will print without running :)
>>>
>>> main.php
>>>
>>> >> declare(stric
Dmitry,
> The object on the call-site should remain to be an object (if it's not
> passed by reference), however the called function will receive a string.
> It works in PHP-5 and PHP-7. Nothing should be changed.
>
> $ sapi/cli/php -r 'class X {function __toString(){return "abc";}} $x=new X;
> va
On 25/02/15 12:58, Dmitry Stogov wrote:
>> Does that mean when reading or writing code, in addition to checking the
>> > signature of a function,
>> > I have to check the 'strict_types' setting at the top as well, to
>> > understand how that signature behaves?
>> >
> I think you should check it in
Dmitry Stogov wrote on 25/02/2015 14:07:
No. The proposal is only about fatal engine errors, like "Fatal Error:
Call to undefined function %s()".
Instead of script termination they will throw exceptions.
fopen() won't be touched at all. It's out of scope of proposal.
Hi Dmitry,
I was respondi
On Wed, Feb 25, 2015 at 6:03 PM, Anthony Ferrara
wrote:
> Dmitry,
>
> On Wed, Feb 25, 2015 at 7:19 AM, Dmitry Stogov wrote:
> > Hi Anthony,
> >
> > Few notes:
> >
> > - first of all, it would be great to split the voting questions: 2/3 -
> > implement scalar type hinting + 1/2 - in addition add
On Wed, Feb 25, 2015 at 6:06 PM, Anthony Ferrara
wrote:
> Dmitry:
>
> On Wed, Feb 25, 2015 at 7:55 AM, Dmitry Stogov wrote:
> > On Wed, Feb 25, 2015 at 2:42 PM, Niktia Nefedov
> wrote:
> >
> >> On Wed, 25 Feb 2015 16:30:32 +0400, Dmitry Stogov
> wrote:
> >>
> >> anyone may tell, what this wil
Dmitry
On Wed, Feb 25, 2015 at 10:20 AM, Dmitry Stogov wrote:
>
>
> On Wed, Feb 25, 2015 at 6:06 PM, Anthony Ferrara
> wrote:
>>
>> Dmitry:
>>
>> On Wed, Feb 25, 2015 at 7:55 AM, Dmitry Stogov wrote:
>> > On Wed, Feb 25, 2015 at 2:42 PM, Niktia Nefedov
>> > wrote:
>> >
>> >> On Wed, 25 Feb 201
On Wed, 25 Feb 2015 17:54:21 +0400, Dmitry Stogov wrote:
The object on the call-site should remain to be an object (if it's not
passed by reference), however the called function will receive a string.
It works in PHP-5 and PHP-7. Nothing should be changed.
$ sapi/cli/php -r 'class X {function
On Wed, Feb 25, 2015 at 6:09 PM, Anthony Ferrara
wrote:
> Dmitry,
>
> > The object on the call-site should remain to be an object (if it's not
> > passed by reference), however the called function will receive a string.
> > It works in PHP-5 and PHP-7. Nothing should be changed.
> >
> > $ sapi/cl
On Sat, Feb 21, 2015 at 2:47 PM, Zeev Suraski wrote:
>> "with two potential 'camps' of developers forming up"
>>
>> Have you looked at the community lately? That's been happening for a
>> decade. One camp likes to engineering everything out using classes and
>> libraries. The other keeps using PH
On Wed, Feb 25, 2015 at 6:24 PM, Anthony Ferrara
wrote:
> Dmitry
>
> On Wed, Feb 25, 2015 at 10:20 AM, Dmitry Stogov wrote:
> >
> >
> > On Wed, Feb 25, 2015 at 6:06 PM, Anthony Ferrara
> > wrote:
> >>
> >> Dmitry:
> >>
> >> On Wed, Feb 25, 2015 at 7:55 AM, Dmitry Stogov wrote:
> >> > On Wed, F
Dmitry,
On Wed, Feb 25, 2015 at 10:13 AM, Dmitry Stogov wrote:
>
>
> On Wed, Feb 25, 2015 at 6:03 PM, Anthony Ferrara
> wrote:
>>
>> Dmitry,
>>
>> On Wed, Feb 25, 2015 at 7:19 AM, Dmitry Stogov wrote:
>> > Hi Anthony,
>> >
>> > Few notes:
>> >
>> > - first of all, it would be great to split th
On Wed, Feb 25, 2015 at 5:23 PM, Niktia Nefedov wrote:
> On Wed, 25 Feb 2015 17:54:21 +0400, Dmitry Stogov wrote:
>
>> The object on the call-site should remain to be an object (if it's not
>> passed by reference), however the called function will receive a string.
>> It works in PHP-5 and PHP-7
On Wed, Feb 25, 2015 at 6:47 PM, Anthony Ferrara
wrote:
> Dmitry,
>
>
> On Wed, Feb 25, 2015 at 10:13 AM, Dmitry Stogov wrote:
> >
> >
> > On Wed, Feb 25, 2015 at 6:03 PM, Anthony Ferrara
> > wrote:
> >>
> >> Dmitry,
> >>
> >> On Wed, Feb 25, 2015 at 7:19 AM, Dmitry Stogov wrote:
> >> > Hi Ant
On Wed, Feb 25, 2015 at 7:29 AM, Dmitry Stogov wrote:
> On Wed, Feb 25, 2015 at 6:09 PM, Anthony Ferrara
> wrote:
>
>> Dmitry,
>>
>> > The object on the call-site should remain to be an object (if it's not
>> > passed by reference), however the called function will receive a string.
>> > It works
Dmitry,
> But checks are performed not in the caller but in RECV opcode at called
> function.
> And in this function we don't know id it's going to be called only in strict
> mode or in weak as well.
Currently, yes. However, by the time we enter ZEND_DO_FCALL, we know
which function we're going t
Hi internals,
I was just browsing the RFC wiki page when I noticed a sub-section for PHP
5.7 under the Implemented section[1]. Considering that the PHP 5.7 version
RFC was put to a vote and failed[2], I'm wondering why these items are
still in this section.
Should we move these 5.7 items to the 7
On 25/02/2015 12:30, Dmitry Stogov wrote:
anyone may tell, what this will print without running :)
main.php
a.php
=
b.php
=
I am not sure if we really need to focus the discussion on whether edge
cases using references are confusing or not. They already are confusing
ev
> -Original Message-
> From: Shashank Kumar [mailto:shashankkumar...@gmail.com]
> Sent: Wednesday, February 25, 2015 2:54 PM
> To: Dmitry Stogov
> Cc: Anthony Ferrara; internals@lists.php.net
> Subject: Re: [PHP-DEV] Re: [RFC-Discuss] Scalar Type Declarations v0.5
>
> On Wed, Feb 25, 2015 a
On Tue, Feb 24, 2015 at 2:25 PM, Stanislav Malyshev wrote:
> Hi!
>
>> I like the idea of having anonymous classes, it is very helpful during
>> development to just try something out without having the burden of
>> creating a new file and a complete class including namespace and use
>> declarations
On 25/02/15 15:31, Pierre Joye wrote:
> With the other RFC, which changes the casting modes, I wish everyone
> good luck. I may be wrong, can happen ;), but we simply do not know
> and will not know before 7.0.0 is out. Good luck to change them again
> to "adapt and tweak", and good luck to the app
On Wed, Feb 25, 2015 at 7:06 PM, Anthony Ferrara
wrote:
> Dmitry,
>
> > But checks are performed not in the caller but in RECV opcode at called
> > function.
> > And in this function we don't know id it's going to be called only in
> strict
> > mode or in weak as well.
>
> Currently, yes. However
Hi Lester,
I agree. The only way I imagine possible (maybe Derick can confirm), is
adding an optional case-sensitive mode and, then, much later, make it the
default.
Unlike raising E_DEPRECATED on case-insensitive comparisons, this approach
is technically possible. The only probem I see is that
Hi Yasuo,
I won’t have time to work more on DbC before one month. As I said, I am leaving
Saturday moring for 3 weeks, and use the 2 days left to rewrite the coercive
STH RFC with Zeev, and work on the corresponding patch with Dmitry.
So, feel free to put it to vote. Just reference my one
Hi Alexander,
On Tue, Feb 24, 2015 at 10:48 AM, Alexander Lisachenko <
lisachenko...@gmail.com> wrote:
> Morning!
>
> I want to ask this question one more time before PHP7 feature freeze: can
> we the engine case sensitive from PHP>=7.0?
>
> There is a draft for that: https://wiki.php.net/rfc/ca
On Wed, Feb 25, 2015 at 10:52 AM, Dmitry Stogov wrote:
> Hi Alexander,
>
> On Tue, Feb 24, 2015 at 10:48 AM, Alexander Lisachenko <
> lisachenko...@gmail.com> wrote:
>
>> Morning!
>>
>> I want to ask this question one more time before PHP7 feature freeze: can
>> we the engine case sensitive from
I welcome the proposal for an easy-to-use PHP function for obtaining
crypto-secure randomness. I have a number of comments and suggestions.
I think the function name(s) should indicate that these functions are
for getting crypto-secure randomness. I proposed cs_random_bytes()
previously (https://w
Hi Kevin,
On 25 February 2015 at 08:18, Kevin Ingwersen (Ingwie Phoenix)
wrote:
> Here are my cents to this RFC, as it just keeps popping in in my inbox and
> its beginning to be one that I wish I could ignore.
>
> First, … file extensions? A default Apache configuration and some Nginx
> config
Hi Larry,
I think we'd be biting off too much to be worth chewing for other
character sets. Most uses are going to revolve around characters
allowed in URLs. Expanding that, to a degree, perhaps per a additional
character list, or character list flag, might not be too far, but
things will get inte
Tom,
On Wed, Feb 25, 2015 at 2:39 PM, Tom Worster wrote:
> I welcome the proposal for an easy-to-use PHP function for obtaining
> crypto-secure randomness. I have a number of comments and suggestions.
>
> I think the function name(s) should indicate that these functions are
> for getting crypto-s
On 2/25/15 5:45 AM, Peter Holák wrote:
One thing to consider when annotations are classes is whether using an
annotation should make the annotated class depend on the annotation
classes it uses. In other words, would a missing annotation class
produce an error? It doesn't in Java (at runtime, see
Hi!
> For example, the number of users that actually need to do something
> better than read from /dev/urandom is small. A user that is concerned
Good summary read on the topic: http://www.2uo.de/myths-about-urandom/
TLDR: it's ok to use /dev/urandom.
--
Stas Malyshev
smalys...@gmail.com
--
P
Hi
2015-02-25 8:45 GMT-03:00 Pascal MARTIN, AFUP :
>
>
> We've discussed this RFC with other people of AFUP, and even though there
> have been quite a few mails exchanged, I'm sorry to say we didn't reach a
> consensus -- and, as such, are neither -1 nor +1.
>
> Trying to summarize a few points:
Hi,
The voting for Group Use Declarations is now closed with 39 "yes" and 19
"no" votes. According to the established 2/3 majority requirement, it
passed.
https://wiki.php.net/rfc/group_use_declarations#votes
If you voted "no": your feedback is still as important as before, specially
in case you
Hi Jan,
On Thu, Feb 26, 2015 at 12:07 AM, Jan Ehrhardt wrote:
> Yasuo Ohgaki in php.internals (Wed, 25 Feb 2015 19:07:05 +0900):
> >I understand people do all kinds of things.
> >Therefore, I'm allowing
> >
> >ini_set('zend.script_extension', ''); // Disable protections at all.
> >
> >It's users
Hi all,
I would like to start [DISCUSSION] for this RFC.
RFC may needs update, but these changes can be done during the discussion
also.
Any comments for staring discussion?
P.S. I'll prepare simple "Vote Only" RFC for 2 RFCs. Please feel free to
change/improve it.
--
Yasuo Ohgaki
yohg...@ohga
On 2/25/15, 3:24 PM, "Stanislav Malyshev" wrote:
>Good summary read on the topic: http://www.2uo.de/myths-about-urandom/
>TLDR: it's ok to use /dev/urandom.
Yes! Thanks for the link. Much shorter but with pretty much the same
message, I like:
http://sockpuppet.org/blog/2014/02/25/safely-generat
Yasuo Ohgaki in php.internals (Thu, 26 Feb 2015 06:20:46 +0900):
>I probably don't understand your question. We already have php_value and
>php_admin_value to change INI value in .htaccess (and like).
>
> php_value "zend.script_extensions" ".php .myext" # Works like globals
>ini_set()
> php_admin_
Hi all,
Vote for script only include/require RFC is started.
This RFC closes one of the fatal security hole in PHP programs with
simple patch.
https://wiki.php.net/rfc/script_only_include
https://github.com/php/php-src/pull/
Vote ends 2015/3/12
It seems there are misunderstandings about the
Hi people,
I hope this is not too much off topic but I saw today that Travis now
supports nightly builds as a possible PHP version, they documented it here:
http://docs.travis-ci.com/user/languages/php/#PHP-nightly-builds
I think it would be good to incitate all the frameworks and projects
us
Hi Jan,
On Thu, Feb 26, 2015 at 6:55 AM, Jan Ehrhardt wrote:
> Yasuo Ohgaki in php.internals (Thu, 26 Feb 2015 06:20:46 +0900):
> >I probably don't understand your question. We already have php_value and
> >php_admin_value to change INI value in .htaccess (and like).
> >
> > php_value "zend.scri
Hi,
Pascal Chevrel writes:
> Hi people,
>
> I hope this is not too much off topic but I saw today that Travis now
> supports nightly builds as a possible PHP version, they documented it here:
> http://docs.travis-ci.com/user/languages/php/#PHP-nightly-builds
>
> I think it would be good to incit
Hi Florian
On 25 February 2015 at 22:25, Florian Margaine wrote:
> Hi,
>
> Pascal Chevrel writes:
>
>> Hi people,
>>
>> I hope this is not too much off topic but I saw today that Travis now
>> supports nightly builds as a possible PHP version, they documented it here:
>> http://docs.travis-ci.co
Hi Stas,
On Thu, Feb 26, 2015 at 7:06 AM, Yasuo Ohgaki wrote:
> It seems there are misunderstandings about the issue and the protection.
> If you would like to vote "no", please read the RFC carefully.
> If you find fatal reason to reject this RFC, it is about arbitrarily code
> execution
> and
Hey Tom,
On 25 February 2015 at 19:39, Tom Worster wrote:
> I don't understand the requirement for crypto-secure random integers.
> I have never encountered this requirement. [Btw: the proposed patch
> implements this function using a loop that's not guaranteed to
> terminate in any given amount
On 25 February 2015 at 20:24, Stanislav Malyshev wrote:
> Hi!
>
>> For example, the number of users that actually need to do something
>> better than read from /dev/urandom is small. A user that is concerned
>
> Good summary read on the topic: http://www.2uo.de/myths-about-urandom/
> TLDR: it's ok
Yasuo Ohgaki in php.internals (Thu, 26 Feb 2015 07:18:59 +0900):
>> If you already have this feature, then you are promoting the RFC the
>> wrong way. You are constantly hammering on ini_set() to mitigate the
>> effects of the change. That would cause a lot of code changes for many
>> frameworks.
>
Hi!
> I saw you voted "no".
> Could you share us the reason behind?
I think I did, in my past messages to the list, but maybe I was not
clear. I will repeat in short:
1. I think this RFC does not provide any security improvement, due to
extreme ease with which the measures in this RFC can be cir
On Feb 25, 2015 2:34 PM, "Pádraic Brady" wrote:
>
> Hi Florian
>
> On 25 February 2015 at 22:25, Florian Margaine
wrote:
> > Hi,
> >
> > Pascal Chevrel writes:
> >
> >> Hi people,
> >>
> >> I hope this is not too much off topic but I saw today that Travis now
> >> supports nightly builds as a po
Hi!
> This is only a minor detail, compared with the other PHP7 changes.
Not that minor actually since you'd have to enumerate all extensions
used in your app, which can use libraries, which may use other
extensions - like Smarty or some other template library - and it may be
non-trivial to find
Le 25/02/2015 23:25, Florian Margaine a écrit :
Hi,
Pascal Chevrel writes:
Hi people,
I hope this is not too much off topic but I saw today that Travis now
supports nightly builds as a possible PHP version, they documented it here:
http://docs.travis-ci.com/user/languages/php/#PHP-nightly-bu
Hi Stanislav,
On 25 February 2015 at 22:46, Stanislav Malyshev wrote:
> Hi!
>
>> I saw you voted "no".
>> Could you share us the reason behind?
>
> I think I did, in my past messages to the list, but maybe I was not
> clear. I will repeat in short:
>
> 1. I think this RFC does not provide any sec
Hi Stas,
Thank you for your reply. I understand your view, yet I thought
it's better to share your view with all of us.
On Thu, Feb 26, 2015 at 7:46 AM, Stanislav Malyshev
wrote:
> > I saw you voted "no".
> > Could you share us the reason behind?
>
> I think I did, in my past messages to the li
1 - 100 of 128 matches
Mail list logo
