|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #73655 Spoofchecker::isSuspicious behavior change due to upstream changes
Submitted: 2016-12-05 15:31 UTC Modified: 2018-05-03 17:09 UTC
From: sjon at hortensius dot net Assigned: ab (profile)
Status: Closed Package: intl (PECL)
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
46 - 20 = ?
Subscribe to this entry?

 [2016-12-05 15:31 UTC] sjon at hortensius dot net
It seems Spoofchecker::isSuspicious is broken; testing an example from the manual all PHP versions work fine; except 7.1.0.

This seems related to an update which was done to the localization which was not present in any of the RCs (insert rant about RCs being real RCs here)

Test script:
See, script was copied from

$checker = new Spoofchecker();


Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-05 15:51 UTC] sjon at hortensius dot net
This might also be related to the recently released ICU-58 ( with which 7.1 was compiled. I'm sure distros will compile with the same ICU but this might be the reason I didn't find a suspicious commit in php-src itself
 [2016-12-05 16:22 UTC] sjon at hortensius dot net
I have confirmed php-7.1.0 compiled with ICU 55 works fine. Compiled with ICU 57 also works. Can anyone confirm if this is a bug with ICU itself; or with PHP's usage of ICU?

This is still a problem as distros such as ArchLinux will soon release with ICU-58 and experience this issue
 [2016-12-05 16:22 UTC] me at kelunik dot com
Works for me with ICU 55, so it seems to be an ICU problem.

$ php -v
PHP 7.1.0 (cli) (built: Dec  5 2016 17:15:16) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies

$ cat bug73655.php 

$checker = new Spoofchecker();


$ php bug73655.php 

$ apt-show-versions libicu-dev 
libicu-dev:amd64/xenial 55.1-7 uptodate
libicu-dev:i386 not installed
 [2016-12-05 16:34 UTC]
-Summary: Spoofchecker::isSuspicious broken +Summary: Spoofchecker::isSuspicious behavior change to due upstream changes -Status: Open +Status: Verified -Package: I18N and L10N related +Package: intl
 [2016-12-05 16:34 UTC]
I don't understand the terminology but it seems this was an intentional change (or at least accepted side effect) with ICU 85.

So this is tentatively NAB and in need of documentation changes, but for all I know there may be a way to preserve the old behavior, possibly involving toggle assorted spoofchecking options if the uspoof C API has that.
 [2016-12-05 16:35 UTC]
-Summary: Spoofchecker::isSuspicious behavior change to due upstream changes +Summary: Spoofchecker::isSuspicious behavior change due to upstream changes
 [2016-12-05 17:33 UTC]
-Assigned To: +Assigned To: stas
 [2016-12-05 17:33 UTC]
One can get around the removal of WSC and MSC by setting the list of allowed locales manually, see <>, for instance. So this might be solely a documentation issue.

Stas, as you're listed as ext/intl maintainer, what do you think?
 [2017-10-20 18:16 UTC]
Automatic comment on behalf of ab
Log: Fixed bug #73655 Spoofchecker::isSuspicious behavior change due to upstream changes
 [2017-10-20 18:16 UTC]
-Status: Verified +Status: Closed
 [2017-10-20 18:32 UTC]
-Status: Closed +Status: Re-Opened -Type: Bug +Type: Documentation Problem
 [2017-10-20 18:32 UTC]
The behavior change should be fixed here;a=commitdiff;h=f95063647ccebfde5e8e39bc3349e63f19662395 

ICU > 58 undergone significant BC breaches, more fixes might be necessary. In general, the fact a locale were needed to have right suspicious checks was not new. Now, with the removal of the MSC and WSC, as well as single script and lower case data removals, it becomes unavoidable. I thought about enforcing the empty allowed locales check, but it seems a bit too much ATM. Still, this issue is worth documenting, as there are no good ways to bring ICU to the old behavior. Neither it would make much sense regarding the latest UNICODE security specs. Turning this into a doc issue now, further tests on the subject are appreciated to catch possible misbehaviors with modern ICU.

 [2017-10-24 05:11 UTC]
-Status: Re-Opened +Status: Assigned
 [2017-10-24 05:12 UTC]
-Status: Assigned +Status: Open -Assigned To: stas +Assigned To:
 [2018-05-03 17:09 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2018-05-03 17:09 UTC]
Since there are no further comments, closing the ticket.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Dec 03 12:01:27 2023 UTC