Re: [off] PHP: a fractal of bad design

From:	Kris Craig	Date:	Mon, 07 May 2012 08:31:00 +0000
Subject:	Re: [off] PHP: a fractal of bad design
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Mon, May 7, 2012 at 12:28 AM, Arvids Godjuks <[email protected]>wrote:

> Hello internals,
>
> I should voice my opinion that such things like comparing two strings
> starting with numbers and that they resolve to actual integer/float for
> comparation is bad, really bad. That just defies the logic and yealds
> absolutly unexpected results. I pride myself that i know the juggling rules
> well, but I'm shocked by this to say the least...
> In my opinion this should change no matter the BC breaks it will create,
> this one affects security big time. It's good I actually hash my passwords
> in the MySQL and not on the PHP side, but I have seen hash comparations
> with == all the time. And now that this has been discussed in detail I
> expect this to be used as an attack method grow wide.
> 07.05.2012 5:32 пользователь "Tjerk Anne Meesters"
> <[email protected]>
> написал:


Forgive me if I'm missing something, but why are people using == for
security-sensitive string comparisons (like hashed passwords) in the first
place?!  If you needs something that's safe, isn't that what strcmp() and
strcasecmp() are for?  For my part, I pretty much never use == on string
comparison, though admittedly that's probably just a matter of having
having come from a C background before PHP.

That being said, I agree that this *definitely* should be fixed if the
examples cited are indeed accurate (I've been working with PHP for over 10
years and I was never aware of this bizarre behavior, either).  I don't
know the history of this, but I at least would consider it to be a bug.  A
rather large one, in fact; though I think some of the fears expressed are a
bit hyperbolic.  And if you're fixing a serious bug or security
vulnerability, as a general rule of thumb, this automatically supercedes
any concerns regarding BC breakage IMHO.  But if that really is a lingering
concern, I'd suggest targetting the fix for PHP 6, since people would (or
at least should) expect that some PHP 5 code may behave differently in PHP
6 anyway given that it's a major release

--Kris


   

Thread (42 messages)

• Adir KuhnTue, 10 Apr 2012 16:20:41 +0000
  • Pierre JoyeTue, 10 Apr 2012 16:31:57 +0000
    • Tom BoutellTue, 10 Apr 2012 18:18:01 +0000
      • Stas MalyshevTue, 10 Apr 2012 18:27:22 +0000
        • Richard LynchSat, 05 May 2012 16:17:34 +0000
          • Tjerk Anne MeestersMon, 07 May 2012 03:32:30 +0000
            • Arvids GodjuksMon, 07 May 2012 07:28:46 +0000
              • Kris CraigMon, 07 May 2012 08:31:00 +0000
                • Gustavo LopesMon, 07 May 2012 08:46:29 +0000
                  • Kris CraigMon, 07 May 2012 09:22:50 +0000
                    • Ferenc KovacsMon, 07 May 2012 09:31:55 +0000
                • Ferenc KovacsMon, 07 May 2012 08:56:40 +0000
                  • Tjerk Anne MeestersMon, 07 May 2012 09:33:08 +0000
                • Arvids GodjuksMon, 07 May 2012 10:41:27 +0000
              • Hartmut HolzgraefeMon, 07 May 2012 12:23:54 +0000
            • Hartmut HolzgraefeMon, 07 May 2012 12:38:01 +0000
              • Tjerk Anne MeestersMon, 07 May 2012 18:07:49 +0000
                • Raymond IrvingTue, 08 May 2012 01:25:57 +0000
                  • Matt WilsonTue, 08 May 2012 02:05:55 +0000
                    • Sanford WhitemanTue, 08 May 2012 05:16:10 +0000
                  • Joe GillottiWed, 09 May 2012 08:09:19 +0000
      • Pierre JoyeTue, 10 Apr 2012 19:50:50 +0000
  • Gustavo LopesTue, 10 Apr 2012 16:31:56 +0000
  • Stas MalyshevTue, 10 Apr 2012 16:38:08 +0000
    • Kris CraigTue, 10 Apr 2012 17:59:50 +0000
      • Ralf LangTue, 10 Apr 2012 18:12:39 +0000
        • Kris CraigTue, 10 Apr 2012 18:28:01 +0000
          • Lester CaineTue, 10 Apr 2012 18:49:57 +0000
          • Ralf LangWed, 11 Apr 2012 21:09:51 +0000
  • Ronald ChmaraTue, 10 Apr 2012 22:39:20 +0000
  • Yasuo OhgakiWed, 11 Apr 2012 07:29:53 +0000
    • CrocodileWed, 11 Apr 2012 08:14:15 +0000
    • Lester CaineWed, 11 Apr 2012 08:29:28 +0000
      • Ralph SchindlerWed, 11 Apr 2012 15:46:57 +0000
        • Lester CaineWed, 11 Apr 2012 16:06:30 +0000
          • Anthony FerraraWed, 11 Apr 2012 17:28:52 +0000
            • Lester CaineWed, 11 Apr 2012 18:44:52 +0000
              • Johannes SchlüterWed, 11 Apr 2012 21:05:18 +0000
  • Luke ScottWed, 11 Apr 2012 15:19:21 +0000
    • Hartmut HolzgraefeWed, 18 Apr 2012 08:44:17 +0000
  • Hartmut HolzgraefeWed, 18 Apr 2012 08:34:40 +0000
    • Philip OlsonWed, 18 Apr 2012 08:53:01 +0000