Re: [RFC] Multibyte char handling

From:	Yasuo Ohgaki	Date:	Thu, 16 Jan 2014 22:34:06 +0000
Subject:	Re: [RFC] Multibyte char handling
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Nikita,

On Thu, Jan 16, 2014 at 9:18 PM, Nikita Popov <[email protected]> wrote:

> On Thu, Jan 16, 2014 at 12:50 AM, Yasuo Ohgaki <[email protected]> wrote:
>
>> Hi all,
>>
>> addslashes() could be vulnerable via char encoding based attacks.
>> It is needed to decide what counter measure we adopt.
>> This is RFC for this issue.
>>
>> https://wiki.php.net/multibyte_char_handling
>>
>> Please comment.
>> Thank you.
>>
>
> Please do *not* add encoding parameters to our existing string functions -
> we have an mb extension and mb functionality should go there. Don't mix the
> things, it will only lead to a lot of confusion. Right now it's obvious
> which functions handle encoding how, no need to break that.
>

This discussion circulate discussion.

At first, I proposed locale based solution using php_mblen().
This approach does not require additional encoding parameter
since encoding is specified by locale.

However, some people don't like the solution (in security ML)
because it is  locale based solution. It may have unwanted side
effects. Locale is unreliable and most user just don't care about it.

Therefore, I proposed this approach that introduce encoding
parameter just like htmlspecialchars()/htmlentities().

Encoding parameter (or some way to specify encoding) for security
related string function is mandatory. We should provide some way
to specify encoding.

Do you like locale based approach for now?

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (31 messages)

• Yasuo OhgakiWed, 15 Jan 2014 23:50:18 +0000
  • Yasuo OhgakiThu, 16 Jan 2014 00:12:44 +0000Re: [RFC] Multibyte char handling
    • [email protected]Thu, 16 Jan 2014 02:36:16 +0000Re: Re: [RFC] Multibyte char handling
      • Yasuo OhgakiThu, 16 Jan 2014 02:58:05 +0000
        • Stas MalyshevThu, 16 Jan 2014 07:22:05 +0000
          • Yasuo OhgakiThu, 16 Jan 2014 10:36:14 +0000
          • Derick RethansThu, 16 Jan 2014 11:38:59 +0000
            • Yasuo OhgakiFri, 17 Jan 2014 03:19:21 +0000
  • Nikita PopovThu, 16 Jan 2014 12:18:36 +0000
    • Yasuo OhgakiThu, 16 Jan 2014 22:34:06 +0000
      • Nikita PopovThu, 16 Jan 2014 22:38:00 +0000
        • Yasuo OhgakiThu, 16 Jan 2014 22:47:49 +0000
          • Pierre JoyeSun, 19 Jan 2014 16:09:40 +0000
            • Yasuo OhgakiSun, 19 Jan 2014 22:48:08 +0000
              • Yasuo OhgakiSun, 19 Jan 2014 22:59:13 +0000
              • Pierre JoyeMon, 20 Jan 2014 06:38:12 +0000
                • Yasuo OhgakiMon, 20 Jan 2014 08:57:48 +0000
      • MikeFri, 17 Jan 2014 16:37:58 +0000
        • Yasuo OhgakiFri, 17 Jan 2014 19:53:58 +0000
        • Julien PauliFri, 17 Jan 2014 20:06:38 +0000
          • Yasuo OhgakiFri, 17 Jan 2014 21:34:43 +0000
            • Yasuo OhgakiFri, 17 Jan 2014 21:41:31 +0000
            • Julien PauliFri, 17 Jan 2014 21:50:04 +0000
              • Yasuo OhgakiFri, 17 Jan 2014 22:10:27 +0000
                • Yasuo OhgakiFri, 17 Jan 2014 22:31:05 +0000
                • Julien PauliFri, 17 Jan 2014 23:04:05 +0000
                • Yasuo OhgakiSat, 18 Jan 2014 00:20:06 +0000
  • Lester CaineSat, 18 Jan 2014 13:41:54 +0000
    • Yasuo OhgakiSat, 18 Jan 2014 18:52:01 +0000
      • Lester CaineSat, 18 Jan 2014 21:19:43 +0000
  • Yasuo OhgakiThu, 23 Jan 2014 04:39:42 +0000Re: [RFC] Multibyte char handling