[prev in list] [next in list] [prev in thread] [next in thread]
List: php-general
Subject: Re: PHP Security
From: Aziz Saleh <azizsaleh () gmail ! com>
Date: 2020-06-26 13:40:44
Message-ID: CAPJtNhUiKJKr_=M+wyDKxgrZbHc-b3DkUuae6hOa_vWQ45Dt9Q () mail ! gmail ! com
[Download RAW message or body]
On Fri, Jun 26, 2020 at 8:56 AM Ashley Sheridan <ash@ashleysheridan.co.uk>
wrote:
>
>
> On June 26, 2020 12:05:29 PM UTC, Kevin Waterson <kevin.waterson@gmail.co=
m>
> wrote:
> >It's an example you dick, but production code.
> >Chill the fuck out
> >
> >On Fri, 26 Jun 2020, 2:23 pm Ashley Sheridan,
> ><ash@ashleysheridan.co.uk>
> >wrote
> >>
> >> That would end up blocking literally millions of valid names. Even if
> >you
> >> assume that names will all originate from a specific country (so we
> >don't
> >> have to deal with CJK, Cyrillic, or less common diacritics) you still
> >have
> >> to deal with hyphens, apostrophes, and common diacritics. So names
> >like
> >> Z=C3=B6e, O'Reilly, Jean-Paul, Andr=C3=A9, would all be considered inv=
alid by
> >your
> >> code example.
> >>
> >
> https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about=
-names/
> >> lists a ton of other things to be careful about blocking.
> >>
> >> It's also worth pointing out that you're doing validation rather than
> >> sanitisation. These are different and aren't interchangeable.
> >> Thanks,
> >> Ash
> >>
>
> I really don't appreciate that kind of language, and I don't think anyone
> on this list should be expected to.
>
> Thanks,
> Ash
>
Very uncalled for Kev! The point of this list is that we share our opinions
and expertise. Things should never get personal. Please take a moment to
review the PHP mailing list rules:
--------------------------------------------------------
# Mailinglist rules
This is the first file you should be reading before doing any posts on PHP
mailinglists. Following these rules is considered imperative to the success
of
the PHP project. Therefore expect your contributions to be of much less
positive
impact if you do not follow these rules. More importantly you can actually
assume that not following these rules will hurt the PHP project.
PHP is developed through the efforts of a large number of people.
Collaboration is a Good Thing(tm), and mailinglists lets us do this. Thus,
following some basic rules with regards to mailinglist usage will:
a. Make everybody happier, especially those responsible for developing
PHP
itself.
b. Help in making sure we all use our time more efficiently.
c. Prevent you from making a fool of yourself in public.
d. Increase the general level of good will on planet Earth.
Having said that, here are the organizational rules:
1. Respect other people working on the project.
2. Do not post when you are angry. Any post can wait a few hours. Review
your post after a good breather or a good nights sleep.
3. Make sure you pick the right mailinglist for your posting. Please
review
the descriptions on the
[mailinglist overview page](https://www.php.net/mailing-lists.php).
When
in doubt ask a friend or someone you trust on IRC.
4. Make sure you know what you are talking about. PHP is a very large
project
that strives to be very open. The flip side is that the core
developers
are faced with a lot of requests. Make sure that you have done your
research before posting to the entire developer community.
5. Patches have a much greater chance of acceptance than just asking the
PHP developers to implement a feature for you. For one it makes the
discussion more concrete and it shows that the poster put thought and
time
into the request.
6. If you are posting to an existing thread, make sure that you know wha=
t
previous posters have said. This is even more important the longer th=
e
thread is already.
7. Please configure your email client to use a real name and keep messag=
e
signatures to a maximum of 2 lines if at all necessary.
The next few rules are more some general hints:
1. If you notice that your posting ratio is much higher than that of
other
people, double check the above rules. Try to wait a bit longer before
sending your replies to give other people more time to digest your
answers
and more importantly give you the opportunity to make sure that you
aggregate your current position into a single mail instead of multipl=
e
ones.
2. Consider taking a step back from a very active thread now and then.
Maybe
talking to some friends and fellow developers will help in
understanding
the other opinions better.
3. Do not top post. Place your answer underneath anyone you wish to quot=
e
and remove any previous comment that is not relevant to your post.
4. Do not high-jack threads, by bringing up entirely new topics. Please
create an entirely new thread copying anything you wish to quote into
the
new thread.
Finally, additional hints on how to behave inside the virtual community can
be
found in [RFC 1855](http://www.faqs.org/rfcs/rfc1855.html).
Happy hacking,
PHP Team
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Fri, Jun 26, 2020 at 8:56 AM Ashley Sheridan <<a \
href="mailto:ash@ashleysheridan.co.uk">ash@ashleysheridan.co.uk</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br> <br>
On June 26, 2020 12:05:29 PM UTC, Kevin Waterson <<a \
href="mailto:kevin.waterson@gmail.com" \
target="_blank">kevin.waterson@gmail.com</a>> wrote:<br> >It's an example \
you dick, but production code.<br> >Chill the fuck out<br>
><br>
>On Fri, 26 Jun 2020, 2:23 pm Ashley Sheridan,<br>
><<a href="mailto:ash@ashleysheridan.co.uk" \
target="_blank">ash@ashleysheridan.co.uk</a>><br> >wrote<br>
>><br>
>> That would end up blocking literally millions of valid names. Even if<br>
>you<br>
>> assume that names will all originate from a specific country (so we<br>
>don't<br>
>> have to deal with CJK, Cyrillic, or less common diacritics) you still<br>
>have<br>
>> to deal with hyphens, apostrophes, and common diacritics. So names<br>
>like<br>
>> Zöe, O'Reilly, Jean-Paul, André, would all be considered invalid \
by<br> >your<br>
>> code example.<br>
>><br>
><a href="https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/" \
rel="noreferrer" target="_blank">https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/</a><br>
>> lists a ton of other things to be careful about blocking.<br>
>><br>
>> It's also worth pointing out that you're doing validation rather \
than<br> >> sanitisation. These are different and aren't \
interchangeable.<br> >> Thanks,<br>
>> Ash<br>
>><br>
<br>
I really don't appreciate that kind of language, and I don't think anyone on \
this list should be expected to. <br> <br>
Thanks,<br>
Ash<br></blockquote><div><br></div><div>Very uncalled for Kev! The point of this list \
is that we share our opinions and expertise. Things should never get personal. Please \
take a moment to review the PHP mailing list \
rules:</div><div>--------------------------------------------------------</div><div># \
Mailinglist rules<br><br>This is the first file you should be reading before doing \
any posts on PHP<br>mailinglists. Following these rules is considered imperative to \
the success of<br>the PHP project. Therefore expect your contributions to be of much \
less positive<br>impact if you do not follow these rules. More importantly you can \
actually<br>assume that not following these rules will hurt the PHP \
project.<br><br>PHP is developed through the efforts of a large number of \
people.<br>Collaboration is a Good Thing(tm), and mailinglists lets us do this. \
Thus,<br>following some basic rules with regards to mailinglist usage will:<br><br> \
a. Make everybody happier, especially those responsible for developing PHP<br> \
itself.<br><br> b. Help in making sure we all use our time more \
efficiently.<br><br> c. Prevent you from making a fool of yourself in \
public.<br><br> d. Increase the general level of good will on planet \
Earth.<br><br>Having said that, here are the organizational rules:<br><br> 1. \
Respect other people working on the project.<br><br> 2. Do not post when you are \
angry. Any post can wait a few hours. Review<br> your post after a good \
breather or a good nights sleep.<br><br> 3. Make sure you pick the right \
mailinglist for your posting. Please review<br> the descriptions on the<br> \
[mailinglist overview page](<a \
href="https://www.php.net/mailing-lists.php">https://www.php.net/mailing-lists.php</a>). \
When<br> in doubt ask a friend or someone you trust on IRC.<br><br> 4. \
Make sure you know what you are talking about. PHP is a very large project<br> \
that strives to be very open. The flip side is that the core developers<br> \
are faced with a lot of requests. Make sure that you have done your<br> \
research before posting to the entire developer community.<br><br> 5. Patches \
have a much greater chance of acceptance than just asking the<br> PHP \
developers to implement a feature for you. For one it makes the<br> \
discussion more concrete and it shows that the poster put thought and time<br> \
into the request.<br><br> 6. If you are posting to an existing thread, make sure \
that you know what<br> previous posters have said. This is even more \
important the longer the<br> thread is already.<br><br> 7. Please \
configure your email client to use a real name and keep message<br> \
signatures to a maximum of 2 lines if at all necessary.<br><br>The next few rules are \
more some general hints:<br><br> 1. If you notice that your posting ratio is much \
higher than that of other<br> people, double check the above rules. Try to \
wait a bit longer before<br> sending your replies to give other people more \
time to digest your answers<br> and more importantly give you the opportunity \
to make sure that you<br> aggregate your current position into a single mail \
instead of multiple<br> ones.<br><br> 2. Consider taking a step back from \
a very active thread now and then. Maybe<br> talking to some friends and \
fellow developers will help in understanding<br> the other opinions \
better.<br><br> 3. Do not top post. Place your answer underneath anyone you wish \
to quote<br> and remove any previous comment that is not relevant to your \
post.<br><br> 4. Do not high-jack threads, by bringing up entirely new topics. \
Please<br> create an entirely new thread copying anything you wish to quote \
into the<br> new thread.<br><br>Finally, additional hints on how to behave \
inside the virtual community can be<br>found in [RFC 1855](<a \
href="http://www.faqs.org/rfcs/rfc1855.html">http://www.faqs.org/rfcs/rfc1855.html</a>).<br><br>Happy \
hacking,<br><br>PHP Team<br></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic