Re: [VOTE] RFC: Multibyte Char Handling
Hi,
On Sun, Jan 26, 2014 at 12:51 AM, Yasuo Ohgaki <[email protected]> wrote:
> Hi Nikita,
>
> On Sun, Jan 26, 2014 at 9:38 AM, Nikita Popov <[email protected]>
> wrote:
>
> > This RFC conflates the addition of a multibyte version of addslashes (in
> > response to quoted CVE) with the replacement of the mbstring extension
> by a
> > completely different implementation (and an incomplete one at that).
> Those
> > two things have very little to do with each other and should not be
> covered
> > in the same RFC and/or vote.
>
>
> The root cause of this issue is lack of multibyte aware functions that
> relates to security.
>
> I've wrote the RFC to compile current mbstring by default at first, but it
> was
> withdrawn. The reason why is that mbstring is using LGPLed libraries.
> As long as it is loaded as shared module, there would not be issue.
> However, if these are compiled and used statically, LGPL will be
> effective.
>
> To avoid this issue, mbstring would be better to replaced by mbstring-ng
> and move mbstring to PECL for future release.
>
> I'll work on mbstring-ng so that it has all mbstring features. Until then,
> we may have it as EXPERIMENTAL.
>
> Although, it may seem different issue. Compilation of mbstring by
> default is needed to resolve the issue. Therefore, I've made a
> single RFC to accomplish the objective.
>
> Does this sound reasonable to you?
>
> Regards,
>
>
I have been looking a bit into the mbstring-ng. I forked it from moriyoshi
and fixed some compilation issues (for php-master).
https://github.com/bukka/mbstring-ng/compare/next
I also run
$ find ./tests/ -type f -exec sed -i 's/mb_/mb2_/g' {} \;
and then test it a bit. Most of the tests are failing. It hasn't been
update for 5 years so there some runtime issues and there are some missing
functions. It looks that it will require quite a lot of work. I will try to
have a look later if I get time... :)
Thought that it could help a bit when you start working on it. ;)
Regards
Jakub
Thread (20 messages)