rfc:deprecations_php_7_2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
rfc:deprecations_php_7_2 [2016/11/07 21:13] nikicrfc:deprecations_php_7_2 [2016/12/21 16:25] nikic
Line 111: Line 111:
 This behavior of ''assert()'' makes it easy to introduce subtle remote code execution vulnerabilities. Using ''assert($value)'' to check if a value is truthy opens an RCE vulnerability if there is any chance for ''$value'' to be a string. This behavior of ''assert()'' makes it easy to introduce subtle remote code execution vulnerabilities. Using ''assert($value)'' to check if a value is truthy opens an RCE vulnerability if there is any chance for ''$value'' to be a string.
  
-Proposed action: Throw a deprecation notice if ''assert()'' is used with a string argument.+Proposed action: Throw a deprecation notice if ''assert()'' is used with a string argument. The deprecation notice is only thrown if assertions are enabled (both zend.assertions and assert.active must be enabled).
  
 ==== $errcontext argument of error handler ==== ==== $errcontext argument of error handler ====
Line 118: Line 118:
  
 This functionality is problematic for optimization, because the ''$errcontext'' can be used to modify all references and objects in the current scope. As far as I am aware, this functionality is barely used and the trade-off here is not worthwhile. If people wish to inspect the variable-state at the point of an error, they should use a proper debugger. This functionality is problematic for optimization, because the ''$errcontext'' can be used to modify all references and objects in the current scope. As far as I am aware, this functionality is barely used and the trade-off here is not worthwhile. If people wish to inspect the variable-state at the point of an error, they should use a proper debugger.
 +
 +Note that the error context only contains the local variables at the error-site. The error backtrace, including ''$this'' and function arguments, will of course stay available through ''debug_backtrace()''.
  
 Proposed action: Throw deprecation notice if error handler has five or more arguments. Otherwise, do not pass the ''$errcontext''. This prevents circumvention with ''func_get_args()''. Proposed action: Throw deprecation notice if error handler has five or more arguments. Otherwise, do not pass the ''$errcontext''. This prevents circumvention with ''func_get_args()''.
Line 147: Line 149:
   * Second argument to ''spl_autoload''.   * Second argument to ''spl_autoload''.
   * The ticks mechanism, which is obsoleted by async signal handling.   * The ticks mechanism, which is obsoleted by async signal handling.
 +  * ''php_sapi_name'', ''phpversion'' and ''pi'': These functions return constant values corresponding to ''PHP_SAPI'', ''PHP_VERSION'' and ''M_PI''.
 +  * The ''(real)'' cast and ''is_real()'' functions. ''real'' is an alias for ''float''/''double'' which sees significantly less use than the other two variants.
  
 ===== Rejected deprecations ===== ===== Rejected deprecations =====
rfc/deprecations_php_7_2.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1