Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
rfc:deprecations_php_7_2 [2016/11/07 21:13] – nikic | rfc:deprecations_php_7_2 [2016/12/21 16:25] – nikic |
---|
This behavior of ''assert()'' makes it easy to introduce subtle remote code execution vulnerabilities. Using ''assert($value)'' to check if a value is truthy opens an RCE vulnerability if there is any chance for ''$value'' to be a string. | This behavior of ''assert()'' makes it easy to introduce subtle remote code execution vulnerabilities. Using ''assert($value)'' to check if a value is truthy opens an RCE vulnerability if there is any chance for ''$value'' to be a string. |
| |
Proposed action: Throw a deprecation notice if ''assert()'' is used with a string argument. | Proposed action: Throw a deprecation notice if ''assert()'' is used with a string argument. The deprecation notice is only thrown if assertions are enabled (both zend.assertions and assert.active must be enabled). |
| |
==== $errcontext argument of error handler ==== | ==== $errcontext argument of error handler ==== |
| |
This functionality is problematic for optimization, because the ''$errcontext'' can be used to modify all references and objects in the current scope. As far as I am aware, this functionality is barely used and the trade-off here is not worthwhile. If people wish to inspect the variable-state at the point of an error, they should use a proper debugger. | This functionality is problematic for optimization, because the ''$errcontext'' can be used to modify all references and objects in the current scope. As far as I am aware, this functionality is barely used and the trade-off here is not worthwhile. If people wish to inspect the variable-state at the point of an error, they should use a proper debugger. |
| |
| Note that the error context only contains the local variables at the error-site. The error backtrace, including ''$this'' and function arguments, will of course stay available through ''debug_backtrace()''. |
| |
Proposed action: Throw deprecation notice if error handler has five or more arguments. Otherwise, do not pass the ''$errcontext''. This prevents circumvention with ''func_get_args()''. | Proposed action: Throw deprecation notice if error handler has five or more arguments. Otherwise, do not pass the ''$errcontext''. This prevents circumvention with ''func_get_args()''. |
* Second argument to ''spl_autoload''. | * Second argument to ''spl_autoload''. |
* The ticks mechanism, which is obsoleted by async signal handling. | * The ticks mechanism, which is obsoleted by async signal handling. |
| * ''php_sapi_name'', ''phpversion'' and ''pi'': These functions return constant values corresponding to ''PHP_SAPI'', ''PHP_VERSION'' and ''M_PI''. |
| * The ''(real)'' cast and ''is_real()'' functions. ''real'' is an alias for ''float''/''double'' which sees significantly less use than the other two variants. |
| |
===== Rejected deprecations ===== | ===== Rejected deprecations ===== |