[PHP-DEV] [RFC] Define proper semantics for range() function
Hello internals, While working on analysing the impact of the changes proposed by amending the behaviour of the increment and decrement operators ( https://wiki.php.net/rfc/saner-inc-dec-operators) I discovered that the range() function has some rather lax behaviour that is very unintuitive. I therefore propose the "Define proper semantics for range() function" RFC to address the unintuitive behaviour that sees no usage and/or hide bugs: https://wiki.php.net/rfc/proper-range-semantics The change propose to throw TypeErrors and ValueErrors for case where I couldn't find occurrences in the wild and hide bugs, and emit some E_WARNINGs for cases that are hard to detect via static analysis. Best regards George P. Banyard
Re: [PHP-DEV] RFC [Discussion]: Make unserialize() emit a warning for trailing bytes
On Mon, Mar 27, 2023, at 2:12 PM, Mel Dafert wrote: > On 27 March 2023 20:20:58 CEST, "Michał Marcin Brzuchalski" > wrote: >> Personally, I'd like the unserialize to throw an exception if trailing >>bytes are detected. >>If not by default then with the use of the option passed to unserialize >>function. > > If that's the desired direction, it makes more sense to emit a > deprecation notice > now and throw an exception starting in 9.0. > > Regards, > Mel Dafert I would also favor throwing an exception. This is a security vector being closed, and that should be closed *hard*. Warnings tend to show up where they're not useful (dev) and get not noticed where they are (prod). Go all the way to an exception here. I'm flexible on if that happens in 8.3 or 9. Maybe warning now, with exception in 9? I don't know if that's better from a BC POV, but it should end up as an exception. --Larry Garfield -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] RFC [Discussion]: Make unserialize() emit a warning for trailing bytes
On 27 March 2023 20:20:58 CEST, "Michał Marcin Brzuchalski" wrote: > Personally, I'd like the unserialize to throw an exception if trailing >bytes are detected. >If not by default then with the use of the option passed to unserialize >function. If that's the desired direction, it makes more sense to emit a deprecation notice now and throw an exception starting in 9.0. Regards, Mel Dafert -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] RFC [Discussion]: Make unserialize() emit a warning for trailing bytes
Hi Tim, thanks for the RFC pon., 27 mar 2023 o 19:04 Tim Düsterhus napisał(a): > Hi > > I'm now opening discussion for the RFC "Make unserialize() emit a > warning for trailing bytes": > > > > RFC: Make unserialize() emit a warning for trailing bytes > https://wiki.php.net/rfc/unserialize_warn_on_trailing_data > > Proof of concept implementation is in: > > https://github.com/php/php-src/pull/9630 > > > > Best regards > Tim Düsterhus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > > Personally, I'd like the unserialize to throw an exception if trailing bytes are detected. If not by default then with the use of the option passed to unserialize function. Cheers, Michał Marcin Brzuchalski
[PHP-DEV] RFC [Discussion]: Make unserialize() emit a warning for trailing bytes
Hi I'm now opening discussion for the RFC "Make unserialize() emit a warning for trailing bytes": RFC: Make unserialize() emit a warning for trailing bytes https://wiki.php.net/rfc/unserialize_warn_on_trailing_data Proof of concept implementation is in: https://github.com/php/php-src/pull/9630 Best regards Tim Düsterhus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php