rfc:multibyte_char_handling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:multibyte_char_handling [2014/02/03 09:12]
yohgaki
rfc:multibyte_char_handling [2017/09/22 13:28] (current)
Line 4: Line 4:
   * Date: 2014-02-03   * Date: 2014-02-03
   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net ​   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net ​
-  * Status: ​Under discussion+  * Status: ​Declined
   * First Published at: http://​wiki.php.net/​rfc/​multibyte_char_handling   * First Published at: http://​wiki.php.net/​rfc/​multibyte_char_handling
  
Line 27: Line 27:
 ==== Add mb_addslashes()/​mb_var_export()/​mb_stripslashes() to released versions ==== ==== Add mb_addslashes()/​mb_var_export()/​mb_stripslashes() to released versions ====
  
-For PHP 5.and up, add mb_add_slashes()/​mb_var_export()/​mb_strip_slashes() has encoding option.+For PHP 5.and up, add mb_add_slashes()/​mb_var_export()/​mb_strip_slashes() has encoding option.
  
 +<code php>
   string mb_add_slashes(string $str [, string $encoding=internal_encoding])   string mb_add_slashes(string $str [, string $encoding=internal_encoding])
   string mb_strip_slashes(string $str [, $encoding=internal_encoding])   string mb_strip_slashes(string $str [, $encoding=internal_encoding])
Line 34: Line 35:
   string mb_strip_cslashes(string $str [, $encoding=internal_encoding])   string mb_strip_cslashes(string $str [, $encoding=internal_encoding])
   string mb_var_export(mixed $var [, bool $return=FALSE [, string $encoding=internal_encoding]])   string mb_var_export(mixed $var [, bool $return=FALSE [, string $encoding=internal_encoding]])
 +</​code>​
  
 addcslashes()/​stripcslashs() needs to be multibyte aware for the same reason addslashes()/​stripslashes(). addcslashes()/​stripcslashs() needs to be multibyte aware for the same reason addslashes()/​stripslashes().
Line 39: Line 41:
 ==== Add mb version of function uses php_mblen() ==== ==== Add mb version of function uses php_mblen() ====
  
-For PHP 5.and up, add mb_escape_shell_arg()/​mb_secape_shell_cmd()/​mb_fget_csv()/​etc that have extra encoding parameter like mb_add_slashes().+For PHP 5.and up, add mb_escape_shell_arg()/​mb_secape_shell_cmd()/​mb_fget_csv()/​etc that have extra encoding parameter like mb_add_slashes().
  
   * mb_escape_shell_arg()   * mb_escape_shell_arg()
Line 59: Line 61:
 These function may override locale by encoding parameter. These function may override locale by encoding parameter.
 Since fgetcsv() uses locale now, do the same for fgetcsv(). Since fgetcsv() uses locale now, do the same for fgetcsv().
 +
 +==== mbstring.func_overload ====
 +
 +Some users are annoyed by sloppy multilingual implementations using
 +this option. There is feature request from user who want to remove ​
 +mbstring.func_overload INI option.
 +
 +https://​bugs.php.net/​bug.php?​id=65785
 +
 +However, func_overload is extended for now.
 +
  
 ==== mbstring usage and implementation ==== ==== mbstring usage and implementation ====
  
-For PHP 5.and up, all changes done in mbstring.+For PHP 5.and up, all changes done in mbstring.
  
 mbstring functions have history of remain insecure when single byte version of function'​s issue has been fixed. e.g. mb_prase_str(),​ mb_send_mail() Refactoring is preffered to avoid this issue, but refactoring is postponed until PHP6. i.e. There would be 2 codes that are mostly the same.  mbstring functions have history of remain insecure when single byte version of function'​s issue has been fixed. e.g. mb_prase_str(),​ mb_send_mail() Refactoring is preffered to avoid this issue, but refactoring is postponed until PHP6. i.e. There would be 2 codes that are mostly the same. 
  
-In short, if some one fixes related function, do not forget update mbstring code also.+In short, if some one fixes related function, do not forget ​to update mbstring code also.
  
 ===== Note about short and long term resolution ===== ===== Note about short and long term resolution =====
  
   * **Short term resolution**:​ Add required function to mbstring   * **Short term resolution**:​ Add required function to mbstring
-  * **Long term resolution**:​ Replace mbstring with mbstring-ng ​which does not have license issue+  * **Long term resolution**:​ Replace mbstring with mbstring-ng ​to provide multibyte aware functions by default. mbstring-ng ​does not have license issue.
  
 This RFC is for short term resolution. This RFC is for short term resolution.
Line 77: Line 90:
 Main objective is to remove vulnerability like CVE-2014-1239. Main objective is to remove vulnerability like CVE-2014-1239.
 To accomplish this objective, we need multibyte aware function by default which we To accomplish this objective, we need multibyte aware function by default which we
-don't have it right now.+don't have it now.
  
-We may compile current mbstring by default, but there is license issue for some +To remove vulnerability like CVE-2014-129 from user scripts, there must be multibyte aware functions by default. ​We may compile current mbstring by default, but there is license issue for some users. mbstring-ng does not have such issue and it is preferred to use it as default with respect to license, but it's far from complete
-users. mbstring-ng does not have such issue and it is preferred to use it as default + 
-with respect to license, but it's far from complete.+Since there is no feasible option right now, short and long term resolution is needed.
  
-Since there is no feasible option right now, load map for short and long  
-term resolution is needed. 
  
-When mbstring-ng development is finished, we should have vote whether mbstring 
-is replaced by mbstring-ng or not. 
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 95: Line 104:
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
  
-  * PHP 5.and up - Introduce additional mb_*() functions+  * PHP 5.and up - Introduce additional mb_*() functions
  
 ===== Future Scope ===== ===== Future Scope =====
Line 101: Line 110:
   * mbstring may be replaced by mbstring-ng in future release and mbstring may be moved to PECL.   * mbstring may be replaced by mbstring-ng in future release and mbstring may be moved to PECL.
  
-===== Open Issues =====+There is other RFC for introducing mbstring-ng as a EXPERIMENTAL module.
  
-Use of mbstring.func_overload INI for overriding single byte string functions by mbstring ​functions ​is left open issue for future releases.+When mbstring-ng development is finished, there will be a vote whether ​mbstring 
 +is replaced by mbstring-ng or not
  
-Some users are annoyed by sloppy multilingual implementations using +===== Open Issues =====
-this option. There is feature request from user who want to remove  +
-mbstring.func_overload INI option. +
- +
-https://​bugs.php.net/​bug.php?​id=65785 +
- +
-However, func_overload is extended for now.+
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
  
-Yas/No+Yes/No
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
Line 123: Line 127:
 ===== Vote ==== ===== Vote ====
  
-VOTE: 2014/02/XX - 2014/02/XX+VOTE: 2014/02/10 - 2014/02/17
  
-This vote is only for adding new mb_*() functions to released versions. ​**mbstring-ng vote is done separately.**+This vote is only for adding new mb_*() functions to released versions. ​
  
 <doodle title="​Add required mb_*() functions to fix vulnerability"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​ <doodle title="​Add required mb_*() functions to fix vulnerability"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​
Line 131: Line 135:
    * No    * No
 </​doodle>​ </​doodle>​
 +
 +Thank you for voting. ​
 +
 +**If you vote No for this, please provide alternative short term resolution for CVE-2014-1239.**
  
 ===== Implementation ===== ===== Implementation =====
Line 140: Line 148:
  
 ===== References ===== ===== References =====
 +
 +Discussions
 +  * http://​marc.info/?​l=php-internals&​m=138982990932300&​w=2
 +  * http://​marc.info/?​l=php-internals&​m=139069591127118&​w=2
 +  * http://​marc.info/?​l=php-internals&​m=139018752615166&​w=2
  
 Related RFC Related RFC
rfc/multibyte_char_handling.1391418758.txt.gz · Last modified: 2017/09/22 13:28 (external edit)