====== PHP RFC: Fix overflow in octal parsing ====== * Version: 1.1 * Date: 2016-04-12 * Author: Sara Golemon * Status: Implemented * First Published at: https://wiki.php.net/rfc/octal.overload-checking ===== Introduction ===== Parsing of Octal (base 8) numbers contained in an interpolated string currently matches the pattern \\[0-7]{1,3}, that is a backslash followed by between one and three octits (numbers with an ordinal value between zero and seven). However, in order for a 3 octit number to fit within the space of a single character (one byte), the first octit is actually limited to base 4 (values from 0 to 3). Currently, PHP does not guard against an overflow in the first octit of a 3 octit octal value, instead allowing the value to silently overflow without warning. Thus "\000" === "\400", "\100" === "\500", "\200" === "\600", and "\300" === "\700", and so on... ===== Proposal ===== This RFC seeks to decide which approach to take in addressing this undesired behavior. - Do nothing. Some terrible application is relying on this behavior and there's no burning need to fix it. - Retain the current overflow behavior, but raise a compile-time warning "Octal escape sequence overflow {} is greater than \\377" - Limit octal numbers to \\[0-3]?[0-7]{0,2} meaning that sequences like "\456" would be parsed as octal 45 (decimal 37, e.g. a '%' character) followed by a literal 6 Options 2 and 3 may involve a deprecation/warning period followed by a permanent change. **Update:** Between minimal comment and a lack of severity of this case. I've opted to initiate a vote for option 2. Produce a compile-time warning about value overflow. ===== Backward Incompatible Changes ===== New compile-time warning is raised on overflow during interpolation. ===== Proposed PHP Version(s) ===== 7.1 ===== Vote ===== Required 50% + 1 \\ Opened: 2016-04-29 21:30 UTC \\ Closed: 2016-05-13 23:59 UTC * Yes * No ===== References ===== Implementation: https://github.com/php/php-src/commit/95af467d8def3f3453670340f4e65ce7c189d4f6 The subject of this RFC is [[https://bugs.php.net/bug.php?id=71994|Bug#71994]]