Hi, Regarding PRS-3 (Logger Interface), at the moment the $message is simply defined as a string (or stringable).
That's fine, but it relies on the developer understanding that they cannot include untrusted user values in the message, and for them to never make a mistake - which could lead to a log-injection vulnerability. Since September 2021, both PHPStan and Psalm support the `literal-string` type: https://github.com/vimeo/psalm/releases/tag/4.8.0 https://github.com/phpstan/phpstan/releases/tag/0.12.97 This allows static analysis tools to check $message is a trusted developer defined string; it can still use variables, and it supports concatenation as well (so long as all of the strings are also of the literal-string type), so I'm hopeful that it's relaxed enough of a check to not cause problems, while still identifying mistakes that could lead to a security issue. I'm wondering if this would be appropriate to use in a future version of the Logger Interface? Something like: https://github.com/craigfrancis/php-fig-log/commit/80ac8b82cb049fb11cefa8a5ad199751d34149d0 Thanks, Craig -- You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/aebc51df-a1b0-40dd-8c41-02cc4e77b97bn%40googlegroups.com.
