Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106629
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98329 invoked from network); 15 Aug 2019 21:51:59 -0000
Received: from unknown (HELO mail-wr1-f45.google.com) (209.85.221.45)
  by pb1.pair.com with SMTP; 15 Aug 2019 21:51:59 -0000
Received: by mail-wr1-f45.google.com with SMTP id q12so3141680wrj.12
        for <internals@lists.php.net>; Thu, 15 Aug 2019 12:20:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=VzX8vNDSzFcIiJ6ngasCGeoGjjcDHUDmqvWuGCM8G7Y=;
        b=Q6U7UBBoqmLUsCF/toUhNU12Ff6G57UL7r1qIKSVtCAx1jCN3cepV2j/LU9jdCS0hU
         WFtP9bIj3zbRcopmCiNNDO67AC4JoLq6PErP/YMsR++VT0/Cne/uOAMdGGCgo5JiAemz
         EPKcYetf5/W1kimIHNxpjEAV6NULR0kndWWak=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=VzX8vNDSzFcIiJ6ngasCGeoGjjcDHUDmqvWuGCM8G7Y=;
        b=N2IjcfIf732xDJ9pVm6BP/MomFvKxwXCp7KccVbmR/C7QgwwLLc6uWgw+4QT56b7u3
         +ogP6V/zXhE7DqbRY7URZdCN2IcWs8bPDPbRbWwbRw2zRWBym/bnHEoDX6xMEALqBxT6
         HcC/516KIAZtOl5P62H0Bh1msbK7NF+Yb0ubDNHqCm3Q8qlgj4BE+9D8ntKW28qI3HcQ
         9WWgioE/cTbhgtSwcLmIC0hfRzXiAg+x0DV8paR5ksCdZX0hbuAUNhXUBdVQ9MEkSxaT
         N1MiCnIGyWsFM9p/kwDXTAIOTI1yIXx8Y2zAe8wD9mzrcP22yK0OXOvMQcHbke627NcC
         ME1w==
X-Gm-Message-State: APjAAAW4Mq5UWvFcSrZBV4rhtdYKWriP4+4emFHF0vHDl0N85E8cbY4J
	EL3WZzWFsuxC/9/ib4YtAghYoHKxrhI+r1bOhLnKmlFUbPQ=
X-Google-Smtp-Source: APXvYqy8ijmbjC/YqVhy7Ag4ijJeg1Qur+6a+gp7Wi2tNAczc9QHl7HjKx7BSy8CyoVlr64UghyB6nBMmY/SFH+YcYo=
X-Received: by 2002:adf:f3c5:: with SMTP id g5mr6488750wrp.189.1565896856460;
 Thu, 15 Aug 2019 12:20:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+EG6f9e6yJqp1sesbJstYJwpdkVso3CKjAD_EAkcrtHqA@mail.gmail.com>
 <CAKuGYLQLEkWhCapqc368jjbi7oGZLjqf6uRkXXWJ5fadLtxc-g@mail.gmail.com>
In-Reply-To: <CAKuGYLQLEkWhCapqc368jjbi7oGZLjqf6uRkXXWJ5fadLtxc-g@mail.gmail.com>
Date: Thu, 15 Aug 2019 20:20:45 +0100
Message-ID: <CAFv4g+EvygJyv0mF4OSBb7iJWrFCkoE800JZtgt-AbnWn+9thQ@mail.gmail.com>
To: Matthew Brown <matthewmatthew@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e2739005902cc5e0"
Subject: Re: [PHP-DEV] Literal / Taint checking
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000e2739005902cc5e0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, 15 Aug 2019 at 7:43 pm, Matthew Brown <matthewmatthew@gmail.com>
wrote:

> There are already some userland taint-checking solutions for PHP e.g. the
> Phan taint-check plugin from MediaWiki:
> https://www.mediawiki.org/wiki/Phan-taint-check-plugin
>
> I'm working on my own userland solution, too (based on Facebook's
> approach). Demo is here: https://psalm.dev/r/ebb9522fea
>

Hi Matthew,

If anything, this proposal would help user-land solutions (it gives them
more information while the code is in running).

At the moment, they all need to make their own parsers, or extensions, and
they all have blind spots.

I=E2=80=99d also like us to move slowly away from taint checkers that allow=
 for
tainted strings to be marked as un-tainted, as these allow mistakes to be
made.

Please excuse any typos, on my phone, but how about:

$sql =3D =E2=80=98... WHERE id =3D =E2=80=99 . mysqli_real_escape_string($d=
b, $_GET[=E2=80=98id=E2=80=99]);

It=E2=80=99s been escaped, so surely it=E2=80=99s not tainted any more?

Unfortunately, because it=E2=80=99s not surrounded with quote marks, it=E2=
=80=99s not safe.

It also relies on there not being any parsing issues within the database
engine itself (parameterised queries help here, as those values aren=E2=80=
=99t part
of the SQL parsing process).

Craig

--000000000000e2739005902cc5e0--