Hi Nikita,
On Sun, Jan 26, 2014 at 9:38 AM, Nikita Popov <[email protected]> wrote:
> This RFC conflates the addition of a multibyte version of addslashes (in
> response to quoted CVE) with the replacement of the mbstring extension by a
> completely different implementation (and an incomplete one at that). Those
> two things have very little to do with each other and should not be covered
> in the same RFC and/or vote.
The root cause of this issue is lack of multibyte aware functions that
relates to security.
I've wrote the RFC to compile current mbstring by default at first, but it
was
withdrawn. The reason why is that mbstring is using LGPLed libraries.
As long as it is loaded as shared module, there would not be issue.
However, if these are compiled and used statically, LGPL will be
effective.
To avoid this issue, mbstring would be better to replaced by mbstring-ng
and move mbstring to PECL for future release.
I'll work on mbstring-ng so that it has all mbstring features. Until then,
we may have it as EXPERIMENTAL.
Although, it may seem different issue. Compilation of mbstring by
default is needed to resolve the issue. Therefore, I've made a
single RFC to accomplish the objective.
Does this sound reasonable to you?
Regards,
--
Yasuo Ohgaki
[email protected]