rfc:multibyte_char_handling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:multibyte_char_handling [2014/02/03 09:28]
yohgaki
rfc:multibyte_char_handling [2017/09/22 13:28] (current)
Line 4: Line 4:
   * Date: 2014-02-03   * Date: 2014-02-03
   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net ​   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net ​
-  * Status: ​Under discussion+  * Status: ​Declined
   * First Published at: http://​wiki.php.net/​rfc/​multibyte_char_handling   * First Published at: http://​wiki.php.net/​rfc/​multibyte_char_handling
  
Line 27: Line 27:
 ==== Add mb_addslashes()/​mb_var_export()/​mb_stripslashes() to released versions ==== ==== Add mb_addslashes()/​mb_var_export()/​mb_stripslashes() to released versions ====
  
-For PHP 5.and up, add mb_add_slashes()/​mb_var_export()/​mb_strip_slashes() has encoding option.+For PHP 5.and up, add mb_add_slashes()/​mb_var_export()/​mb_strip_slashes() has encoding option.
  
 <code php> <code php>
Line 41: Line 41:
 ==== Add mb version of function uses php_mblen() ==== ==== Add mb version of function uses php_mblen() ====
  
-For PHP 5.and up, add mb_escape_shell_arg()/​mb_secape_shell_cmd()/​mb_fget_csv()/​etc that have extra encoding parameter like mb_add_slashes().+For PHP 5.and up, add mb_escape_shell_arg()/​mb_secape_shell_cmd()/​mb_fget_csv()/​etc that have extra encoding parameter like mb_add_slashes().
  
   * mb_escape_shell_arg()   * mb_escape_shell_arg()
Line 75: Line 75:
 ==== mbstring usage and implementation ==== ==== mbstring usage and implementation ====
  
-For PHP 5.and up, all changes done in mbstring.+For PHP 5.and up, all changes done in mbstring.
  
 mbstring functions have history of remain insecure when single byte version of function'​s issue has been fixed. e.g. mb_prase_str(),​ mb_send_mail() Refactoring is preffered to avoid this issue, but refactoring is postponed until PHP6. i.e. There would be 2 codes that are mostly the same.  mbstring functions have history of remain insecure when single byte version of function'​s issue has been fixed. e.g. mb_prase_str(),​ mb_send_mail() Refactoring is preffered to avoid this issue, but refactoring is postponed until PHP6. i.e. There would be 2 codes that are mostly the same. 
Line 90: Line 90:
 Main objective is to remove vulnerability like CVE-2014-1239. Main objective is to remove vulnerability like CVE-2014-1239.
 To accomplish this objective, we need multibyte aware function by default which we To accomplish this objective, we need multibyte aware function by default which we
-don't have it **now**.+don't have it now.
  
 To remove vulnerability like CVE-2014-129 from user scripts, there must be multibyte aware functions by default. We may compile current mbstring by default, but there is license issue for some users. mbstring-ng does not have such issue and it is preferred to use it as default with respect to license, but it's far from complete. To remove vulnerability like CVE-2014-129 from user scripts, there must be multibyte aware functions by default. We may compile current mbstring by default, but there is license issue for some users. mbstring-ng does not have such issue and it is preferred to use it as default with respect to license, but it's far from complete.
Line 104: Line 104:
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
  
-  * PHP 5.and up - Introduce additional mb_*() functions+  * PHP 5.and up - Introduce additional mb_*() functions
  
 ===== Future Scope ===== ===== Future Scope =====
Line 127: Line 127:
 ===== Vote ==== ===== Vote ====
  
-VOTE: 2014/02/XX - 2014/02/XX+VOTE: 2014/02/10 - 2014/02/17
  
 This vote is only for adding new mb_*() functions to released versions. ​ This vote is only for adding new mb_*() functions to released versions. ​
Line 136: Line 136:
 </​doodle>​ </​doodle>​
  
-Thank you for voting. If you vote No for this, please provide alternative short term resolution for CVE-2014-1239.+Thank you for voting. ​ 
 + 
 +**If you vote No for this, please provide alternative short term resolution for CVE-2014-1239.**
  
 ===== Implementation ===== ===== Implementation =====
Line 146: Line 148:
  
 ===== References ===== ===== References =====
 +
 +Discussions
 +  * http://​marc.info/?​l=php-internals&​m=138982990932300&​w=2
 +  * http://​marc.info/?​l=php-internals&​m=139069591127118&​w=2
 +  * http://​marc.info/?​l=php-internals&​m=139018752615166&​w=2
  
 Related RFC Related RFC
rfc/multibyte_char_handling.1391419683.txt.gz · Last modified: 2017/09/22 13:28 (external edit)