Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:106627 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 87955 invoked from network); 15 Aug 2019 20:49:22 -0000 Received: from unknown (HELO mail-wr1-f43.google.com) (209.85.221.43) by pb1.pair.com with SMTP; 15 Aug 2019 20:49:22 -0000 Received: by mail-wr1-f43.google.com with SMTP id z11so3032096wrt.4 for ; Thu, 15 Aug 2019 11:18:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GG5yYuHAo612FrzItWtsWboomXsqpD5XN49Dq4l2L68=; b=R4b3anP80ee2eTSPwYY6CxLdg6WWMi0/ILw9xZfPvswctvJWuDGm2KUigF8tOiKw1v BQDUTDqdXFUXokk9+gPBwjEhg2BX7XCIFbVRcHkVsYZX/qbWjClwkoYnGZ/gSZpqXh/c IXwutFzkSaplIif8f1o30xeIUEQ82i2DFyEEU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GG5yYuHAo612FrzItWtsWboomXsqpD5XN49Dq4l2L68=; b=Q0TzeMNK3nYHTIW0ySqt8r1CSljT16vrwOC13V+w9xZZRvL4/JKI4r+rWPRzNIaqWJ li3ag0myYt+H+hfursYxSi0YvPAPX5eYx4MbYs5iot2FYJSnrlXCMRHtPdFs0GIix1mg i0nGhwpoP2+GIkNSFv+TfPMVcY3ADiZa/FN9xVGj2xW24B69DdkchtYU3oDDU7dYpPjJ B5IvA93op9xU2ksqvDjHz+kQTR9uxIM9TbkdnX44VZ67WFBxAhu7rraK+CyJc7/TsE1m IS95zGGqS7urXGHm00K1Z1yLGskvKop5aww9FtDQAeUxorcZl1YwtCZYsHtDHwrbFwwF p9Gw== X-Gm-Message-State: APjAAAUOUCQRj/g7jo7S5nAtYaFbDtgw5ZdKTeXTnFtw/Jx/xnioQmCi 2XZrEyT0MA9o89jeE67IG5sUYZFUcassjK7WZn6qzg== X-Google-Smtp-Source: APXvYqy1qP4MaAEg0g2CJiyr2Ob+vmpEbOmgQ8Z0Z2Jcjqzg/BenfMSK6m7Nt8TVFuFQdaN0uwJxZYnZ+r/+ZUOBvGY= X-Received: by 2002:adf:c70e:: with SMTP id k14mr6999175wrg.201.1565893099254; Thu, 15 Aug 2019 11:18:19 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 15 Aug 2019 19:18:08 +0100 Message-ID: To: Benjamin Eberlei Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000f02f1405902be5cc" Subject: Re: [PHP-DEV] Literal / Taint checking From: craig@craigfrancis.co.uk (Craig Francis) --000000000000f02f1405902be5cc Content-Type: text/plain; charset="UTF-8" On Thu, 15 Aug 2019 at 19:05, Benjamin Eberlei wrote: > On Thu, Aug 15, 2019 at 8:03 PM Craig Francis > wrote: > >> Hi, >> >> How likely would it be for PHP to do Literal tracking of variables? >> >> This is something that's being discussed JavaScript TC39 at the moment >> [1], >> and I think it would be even more useful in PHP. >> >> We already know we should use parameterized/prepared SQL, but there is no >> way to prove the SQL string hasn't been tainted by external data in large >> projects, or even in an ORM. >> >> This could also work for templating systems (blocking HTML injection) and >> commands. >> >> Internally it would need to introduce a flag on every variable, and a >> single function to check if a given variable has only been created by >> Literal(s). >> >> Unlike the taint extension, there should be no way to override this (e.g. >> no taint/untaint functions); and if it was part of the core language, it >> will continue to work after every update. >> >> One day certain functions (e.g. mysqli_query) might use this information >> to >> generate a error/warning/notice; but for now, having it available for >> checking would be more than enough. >> >> Craig >> >> > It is an interesting topic indeed! I remember that laruence wrote an > extension for this a while ago, I have never tried it myself though. You > can find it here: https://github.com/laruence/taint > > Thanks, I've been using that extension for a few years - laruence has done a fantastic job with it. But it can be a bit buggy; and due to it being a taint based system, with the ability to taint/untaint, it introduces some problems. https://github.com/laruence/taint/issues/54 --000000000000f02f1405902be5cc--