After a long time, today i came across (again) the Minutes Php Developers Meeting , now seen of course, on the light of new knowledge i’ve accumulated since ( not a lot , but some ).
On the list of discussed/accepted/declined matters, that i just re-read, what hit my attention was the decision made to add an opcode cache (APC) to the std distribution. I think it is going to be very interesting and practical.
APC is a well-written, well-maintained Pecl package. I have implemented already in a couple of solutions, and it is definitely worth the trouble of setting it up.
Another thing was the merging of the Hardened-PHP patch into the std distro, and a few other measures, as follows.
[…]
Discussion: We went over the features that the patch offers, and discussed whether we might want to include them in stock PHP. One of the points that came up was the allow_url_fopen setting we currently have in PHP. Many ISPs disable it because of sound security reasons for remote paths with include(), but unfortunately by turning this setting off they are also turning off the possibility to use fopen(“http:…”) f.e. This is why we want to split this option into two settings.
Conclusions:
- We want to include the patch’ real-path fix.
- We want to include the protection against HTTP Response Splitting attacks (header() shouldn’t accept multiple headers in one call).
- We split allow_url_fopen into two distinct settings: allow_url_fopen and allow_url_include. If allow_url_fopen is off, then allow_url_include will be off too.
- We enable allow_url_fopen by default
- We disable allow_url_include by default
[…]
The decision to make header() not accept multiple values in one cal, is already a step ahead, but i hope it is going to be followed by some serious PCREs.
Quoting from wikipedia’s HTTP Response Splitting Attack:
http://example.tld/redir.php?id=%0d%0aSet-Cookie%3A+some%3Dvalue
I hope my point is clear.
And then, at the end, there’s the ifsetor() issue and the modifications made to the ternary operator ( ie: removal of the requirement for the middle parameter).
In my humble opinion, the way it is going to be , it’s so much more complicated ( speaking of clear, easy-readable code).
Example:
$foo = $_GET[‘foo’] ?: 42;
What about :
$foo = ($a===$b)? 41 : 42;
How’s this going to be evaluated?
In the end, let’s keep in mind that, these discussions happened back in 2005, on a theoretical basis.
From then, most-likely a few things have changed, and there’ll be much more to talk.
Sid? What is he on about now? 
Thank you for some other great post. Where else may just anybody get
that kind of information in such a perfect means of writing?
I’ve a presentation subsequent week, and I’m on the look
for such info.