Re: [PHP-DEV] Vote: Straw poll for P++ feasibility

2019-08-15 Thread Peter Kokot
On Wed, 14 Aug 2019 at 22:41, Zeev Suraski wrote: > > On Wed, Aug 14, 2019 at 6:14 PM Derick Rethans wrote: > > > Hi, > > > > In the last week(s) there has been a lot of chat about Zeev's P++ idea. > > Before we end up spending this project's time and energy to explore this > > idea further, I

Re: [PHP-DEV] Vote: Straw poll for P++ feasibility

2019-08-15 Thread Olumide Samson
Power of democracy, maturity and love(for this same project PHP), I guess. If this same love and energy could be put in place to know the directions and future PHP hold(like are we moving forward or not), that will seriously be a game changer. On Thu, Aug 15, 2019, 2:00 PM Kris Craig wrote: >

Re: [PHP-DEV] Vote: Straw poll for P++ feasibility

2019-08-15 Thread Kris Craig
On Thu, Aug 15, 2019, 3:20 AM Olumide Samson wrote: > On Thu, Aug 15, 2019, 10:52 AM Peter Kokot wrote: > > > On Wed, 14 Aug 2019 at 22:41, Zeev Suraski wrote: > > > > > > On Wed, Aug 14, 2019 at 6:14 PM Derick Rethans wrote: > > > > > > > Hi, > > > > > > > > In the last week(s) there has

[PHP-DEV] PHP 7.3.9RC1 is available for testing

2019-08-15 Thread Christoph M. Becker
PHP 7.3.9RC1 has just been released and can be downloaded from: Or use the git tag: php-7.3.9RC1 Windows binaries are available at: Please test it carefully, and report any bugs in the bug system. 7.3.9 should be expected in 2

Re: [PHP-DEV] Vote: Straw poll for P++ feasibility

2019-08-15 Thread Olumide Samson
On Thu, Aug 15, 2019, 10:52 AM Peter Kokot wrote: > On Wed, 14 Aug 2019 at 22:41, Zeev Suraski wrote: > > > > On Wed, Aug 14, 2019 at 6:14 PM Derick Rethans wrote: > > > > > Hi, > > > > > > In the last week(s) there has been a lot of chat about Zeev's P++ idea. > > > Before we end up spending

[PHP-DEV] PHP 7.2.22RC1 is available for testing

2019-08-15 Thread Sara Golemon
Hi, PHP 7.2.22 RC1 was just released and can be downloaded from: https://downloads.php.net/~pollita/ Or using the git tag: php-7.2.22RC1 The Windows binaries are available at: http://windows.php.net/qa/ Please test it carefully, and report any bugs in the bug system. 7.2.22 should be

[PHP-DEV] Literal / Taint checking

2019-08-15 Thread Craig Francis
Hi, How likely would it be for PHP to do Literal tracking of variables? This is something that's being discussed JavaScript TC39 at the moment [1], and I think it would be even more useful in PHP. We already know we should use parameterized/prepared SQL, but there is no way to prove the SQL

Re: [PHP-DEV] Literal / Taint checking

2019-08-15 Thread Craig Francis
On Thu, 15 Aug 2019 at 19:05, Benjamin Eberlei wrote: > On Thu, Aug 15, 2019 at 8:03 PM Craig Francis > wrote: > >> Hi, >> >> How likely would it be for PHP to do Literal tracking of variables? >> >> This is something that's being discussed JavaScript TC39 at the moment >> [1], >> and I think

Re: [PHP-DEV] Vote: Straw poll for P++ feasibility

2019-08-15 Thread Zeev Suraski
I did not intent to write anything else in this thread, but since someone reverted the edits I made to fix the description of the P++ idea in the poll, I have to. One of the many ways in which this poll was problematic is that it substantially misrepresents the idea - while claiming that this is

Re: [PHP-DEV] Literal / Taint checking

2019-08-15 Thread Benjamin Eberlei
On Thu, Aug 15, 2019 at 8:03 PM Craig Francis wrote: > Hi, > > How likely would it be for PHP to do Literal tracking of variables? > > This is something that's being discussed JavaScript TC39 at the moment [1], > and I think it would be even more useful in PHP. > > We already know we should use

Re: [PHP-DEV] Literal / Taint checking

2019-08-15 Thread Matthew Brown
There are already some userland taint-checking solutions for PHP e.g. the Phan taint-check plugin from MediaWiki: https://www.mediawiki.org/wiki/Phan-taint-check-plugin I'm working on my own userland solution, too (based on Facebook's approach). Demo is here: https://psalm.dev/r/ebb9522fea

Re: [PHP-DEV] Literal / Taint checking

2019-08-15 Thread Matthew Brown
> If anything, this proposal would help user-land solutions (it gives them > more information while the code is in running). > Well, it might help runtime-based user-land solutions, but not static analysis-based solutions. In our bug disclosure program at Vimeo we've had no SQL injection issues

Re: [PHP-DEV] Literal / Taint checking

2019-08-15 Thread Craig Francis
On Thu, 15 Aug 2019 at 21:37, Matthew Brown wrote: > > If anything, this proposal would help user-land solutions (it gives them >> more information while the code is in running). >> > > Well, it might help runtime-based user-land solutions, but not static > analysis-based solutions. > I mostly

Re: [PHP-DEV] Vote: Straw poll for P++ feasibility

2019-08-15 Thread Peter Kokot
Hello, On Wed, 14 Aug 2019 at 17:14, Derick Rethans wrote: > > Hi, > > In the last week(s) there has been a lot of chat about Zeev's P++ idea. > Before we end up spending this project's time and energy to explore this > idea further, I thought it'd be wise to see if there is enough animo for >

Re: [PHP-DEV] Literal / Taint checking

2019-08-15 Thread Craig Francis
On Thu, 15 Aug 2019 at 7:43 pm, Matthew Brown wrote: > There are already some userland taint-checking solutions for PHP e.g. the > Phan taint-check plugin from MediaWiki: > https://www.mediawiki.org/wiki/Phan-taint-check-plugin > > I'm working on my own userland solution, too (based on