PHP RFC: Fix overflow in octal parsing

PHP RFC: Fix overflow in octal parsing

Version: 1.1
Date: 2016-04-12
Author: Sara Golemon pollita@php.net
Status: Implemented
First Published at: https://wiki.php.net/rfc/octal.overload-checking

Introduction

Parsing of Octal (base 8) numbers contained in an interpolated string currently matches the pattern \\[0-7]{1,3}, that is a backslash followed by between one and three octits (numbers with an ordinal value between zero and seven). However, in order for a 3 octit number to fit within the space of a single character (one byte), the first octit is actually limited to base 4 (values from 0 to 3).

Currently, PHP does not guard against an overflow in the first octit of a 3 octit octal value, instead allowing the value to silently overflow without warning. Thus “\000” === “\400”, “\100” === “\500”, “\200” === “\600”, and “\300” === “\700”, and so on...

Proposal

This RFC seeks to decide which approach to take in addressing this undesired behavior.

Do nothing. Some terrible application is relying on this behavior and there's no burning need to fix it.
Retain the current overflow behavior, but raise a compile-time warning “Octal escape sequence overflow {} is greater than \\377”
Limit octal numbers to \\[0-3]?[0-7]{0,2} meaning that sequences like “\456” would be parsed as octal 45 (decimal 37, e.g. a '%' character) followed by a literal 6

Options 2 and 3 may involve a deprecation/warning period followed by a permanent change.

Update: Between minimal comment and a lack of severity of this case. I've opted to initiate a vote for option 2. Produce a compile-time warning about value overflow.

Backward Incompatible Changes

New compile-time warning is raised on overflow during interpolation.

Proposed PHP Version(s)

7.1

Vote

Required 50% + 1
Opened: 2016-04-29 21:30 UTC
Closed: 2016-05-13 23:59 UTC

Raise warning on octal interpolation overflow?
Real name	Yes	No
ajf (ajf)
bwoebi (bwoebi)
cmb (cmb)
colinodell (colinodell)
daverandom (daverandom)
davey (davey)
derick (derick)
francois (francois)
galvao (galvao)
guilhermeblanco (guilhermeblanco)
jhdxr (jhdxr)
kalle (kalle)
kguest (kguest)
kinncj (kinncj)
leigh (leigh)
lstrojny (lstrojny)
malukenho (malukenho)
mariano (mariano)
mbeccati (mbeccati)
mcmic (mcmic)
mgocobachi (mgocobachi)
mightyuhu (mightyuhu)
nikic (nikic)
ocramius (ocramius)
pierrick (pierrick)
pollita (pollita)
rasmus (rasmus)
rdohms (rdohms)
rmf (rmf)
sammyk (sammyk)
santiagolizardo (santiagolizardo)
svpernova09 (svpernova09)
thorstenr (thorstenr)
till (till)
treffynnon (treffynnon)
trowski (trowski)
yohgaki (yohgaki)
zimt (zimt)
Final result:	37	1
This poll has been closed.

References

Implementation: https://github.com/php/php-src/commit/95af467d8def3f3453670340f4e65ce7c189d4f6

The subject of this RFC is Bug#71994

Table of Contents