On Mar 16, 2015 6:46 PM, "Yasuo Ohgaki" <yohg...@ohgaki.net> wrote:
>
> Hi Dennis,
>
> On Mon, Mar 16, 2015 at 3:33 PM, Dennis Birkholz <den...@birkholz.biz>
> wrote:
>
> > Am 16.03.2015 um 07:22 schrieb Yasuo Ohgaki:
> > > Caller _must_ satisfy callee requirements. This is simple principle to
> > > write a secure code.
> > >
> > > With this RFC, caller overrides security related setting. This means
> > > scripts
> > > that are prepared for type safety is "ignored" and it leads security
> > breach.
> >
> > that is simply not true! The callee always gets the type it expects.
> > There is no security problem involved here. The only difference is if
> > type conversion rules apply or if an error is raised for a type
mismatch.
> >
> > You clearly dislike the RFC (you voted no), that is OK, but don't scream
> > of "security" bugs that don't exist. If they would exist, all type hint
> > RFCs would have them in general.
> >
>
> Not only Java/etc programmers but also PHP programmers will assume type
> safety by types.
>
> Programmers assume integer type data is safe once it passes as integer
type
> parameter.
> I'm sure PHP programmer do assume the same thing.
>
> I posted "bad code"
>
> <?php
> function check_num_range(int $num) { if ($num < 0 || $num > 100)
> trigger_error('Invalid range'); }
> // Somewhere far from function definition.
> $num = $GET['num'];
> // Somewhere far from $num definition.
> check_num_range($num); // Trying to check validity, int and range.
> echo 'You have '.$num. ' now <br />'; // But $num could have any string.
> //
> "check_num_range((int)$num)" wouldn't help also.
> ?>
>
> Caller controlled strict typing makes this worse... i.e.
> <?php
> declare(strict_types=1);
> // We are safe since $num is strictly int. Callee has responsibility to
> pass valid int . (But it's not)
> function check_num_range(int $num) { if ($num < 0 || $num > 100)
> trigger_error('Invalid range'); }
> ?>
>
> Setting register_globals=On while callee script assumes
> register_globals=Off is bad thing to do.
> Similar argument applies to declare(strict_types=1) also.
>
> As I suggested in other thread, we are better to sit down and make
> reasonable decision.
> It's not religion, but technical issue. We can reach reasonable consensus
> if we try to. If we
> cannot, it is better to introduce weak type hint only for the time being.
So basically you mixed topics and voted no for the one RFC that would allow
what you want to do later while allowing strict hinting already. Accepting
the other means changing casting rules again later at best. Not sure you
did well here ;-)
