rfc:multibyte_char_handling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:multibyte_char_handling [2014/02/03 09:23]
yohgaki
rfc:multibyte_char_handling [2017/09/22 13:28] (current)
Line 4: Line 4:
   * Date: 2014-02-03   * Date: 2014-02-03
   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net ​   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net ​
-  * Status: ​Under discussion+  * Status: ​Declined
   * First Published at: http://​wiki.php.net/​rfc/​multibyte_char_handling   * First Published at: http://​wiki.php.net/​rfc/​multibyte_char_handling
  
Line 27: Line 27:
 ==== Add mb_addslashes()/​mb_var_export()/​mb_stripslashes() to released versions ==== ==== Add mb_addslashes()/​mb_var_export()/​mb_stripslashes() to released versions ====
  
-For PHP 5.and up, add mb_add_slashes()/​mb_var_export()/​mb_strip_slashes() has encoding option.+For PHP 5.and up, add mb_add_slashes()/​mb_var_export()/​mb_strip_slashes() has encoding option.
  
 <code php> <code php>
Line 41: Line 41:
 ==== Add mb version of function uses php_mblen() ==== ==== Add mb version of function uses php_mblen() ====
  
-For PHP 5.and up, add mb_escape_shell_arg()/​mb_secape_shell_cmd()/​mb_fget_csv()/​etc that have extra encoding parameter like mb_add_slashes().+For PHP 5.and up, add mb_escape_shell_arg()/​mb_secape_shell_cmd()/​mb_fget_csv()/​etc that have extra encoding parameter like mb_add_slashes().
  
   * mb_escape_shell_arg()   * mb_escape_shell_arg()
Line 63: Line 63:
  
 ==== mbstring.func_overload ==== ==== mbstring.func_overload ====
- 
-Use of mbstring.func_overload INI for overriding single byte string functions by mbstring functions is left open issue for future releases. 
  
 Some users are annoyed by sloppy multilingual implementations using Some users are annoyed by sloppy multilingual implementations using
Line 77: Line 75:
 ==== mbstring usage and implementation ==== ==== mbstring usage and implementation ====
  
-For PHP 5.and up, all changes done in mbstring.+For PHP 5.and up, all changes done in mbstring.
  
 mbstring functions have history of remain insecure when single byte version of function'​s issue has been fixed. e.g. mb_prase_str(),​ mb_send_mail() Refactoring is preffered to avoid this issue, but refactoring is postponed until PHP6. i.e. There would be 2 codes that are mostly the same.  mbstring functions have history of remain insecure when single byte version of function'​s issue has been fixed. e.g. mb_prase_str(),​ mb_send_mail() Refactoring is preffered to avoid this issue, but refactoring is postponed until PHP6. i.e. There would be 2 codes that are mostly the same. 
  
-In short, if some one fixes related function, do not forget update mbstring code also.+In short, if some one fixes related function, do not forget ​to update mbstring code also.
  
 ===== Note about short and long term resolution ===== ===== Note about short and long term resolution =====
Line 92: Line 90:
 Main objective is to remove vulnerability like CVE-2014-1239. Main objective is to remove vulnerability like CVE-2014-1239.
 To accomplish this objective, we need multibyte aware function by default which we To accomplish this objective, we need multibyte aware function by default which we
-don't have it **now**.+don't have it now.
  
 To remove vulnerability like CVE-2014-129 from user scripts, there must be multibyte aware functions by default. We may compile current mbstring by default, but there is license issue for some users. mbstring-ng does not have such issue and it is preferred to use it as default with respect to license, but it's far from complete. To remove vulnerability like CVE-2014-129 from user scripts, there must be multibyte aware functions by default. We may compile current mbstring by default, but there is license issue for some users. mbstring-ng does not have such issue and it is preferred to use it as default with respect to license, but it's far from complete.
Line 98: Line 96:
 Since there is no feasible option right now, short and long term resolution is needed. Since there is no feasible option right now, short and long term resolution is needed.
  
-When mbstring-ng development is finished, we should have vote whether mbstring +
-is replaced by mbstring-ng or not. There is other RFC for introducing mbstring-ng as a EXPERIMENTAL module.+
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 107: Line 104:
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
  
-  * PHP 5.and up - Introduce additional mb_*() functions+  * PHP 5.and up - Introduce additional mb_*() functions
  
 ===== Future Scope ===== ===== Future Scope =====
  
   * mbstring may be replaced by mbstring-ng in future release and mbstring may be moved to PECL.   * mbstring may be replaced by mbstring-ng in future release and mbstring may be moved to PECL.
 +
 +There is other RFC for introducing mbstring-ng as a EXPERIMENTAL module.
 +
 +When mbstring-ng development is finished, there will be a vote whether mbstring
 +is replaced by mbstring-ng or not. 
  
 ===== Open Issues ===== ===== Open Issues =====
Line 125: Line 127:
 ===== Vote ==== ===== Vote ====
  
-VOTE: 2014/02/XX - 2014/02/XX+VOTE: 2014/02/10 - 2014/02/17
  
-This vote is only for adding new mb_*() functions to released versions. ​**mbstring-ng vote is done separately.**+This vote is only for adding new mb_*() functions to released versions. ​
  
 <doodle title="​Add required mb_*() functions to fix vulnerability"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​ <doodle title="​Add required mb_*() functions to fix vulnerability"​ auth="​yohgaki"​ voteType="​single"​ closed="​true">​
Line 134: Line 136:
 </​doodle>​ </​doodle>​
  
-Thank you for voting. If you vote No for this, please provide alternative short term resolution for CVE-2014-1239.+Thank you for voting. ​ 
 + 
 +**If you vote No for this, please provide alternative short term resolution for CVE-2014-1239.**
  
 ===== Implementation ===== ===== Implementation =====
Line 144: Line 148:
  
 ===== References ===== ===== References =====
 +
 +Discussions
 +  * http://​marc.info/?​l=php-internals&​m=138982990932300&​w=2
 +  * http://​marc.info/?​l=php-internals&​m=139069591127118&​w=2
 +  * http://​marc.info/?​l=php-internals&​m=139018752615166&​w=2
  
 Related RFC Related RFC
rfc/multibyte_char_handling.1391419431.txt.gz · Last modified: 2017/09/22 13:28 (external edit)