Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109192
Return-Path: <tysonandre775@hotmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16541 invoked from network); 21 Mar 2020 23:35:47 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Mar 2020 23:35:47 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 8A8991804F6
	for <internals@lists.php.net>; Sat, 21 Mar 2020 14:59:32 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS8075 40.64.0.0/10
X-Spam-Virus: No
X-Envelope-From: <tysonandre775@hotmail.com>
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2058.outbound.protection.outlook.com [40.92.19.58])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 21 Mar 2020 14:59:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=F7Uoi7JFLUl0xs0Og6y4EcWC981DmvcyZgmnKw6pUxGmXwD7QktxyP/WhnDvh8RzW3yQ6bnsHY5De65wIwMRWSAzFz12c7CHy3sueIDp0D1B4n3O2zVzMeaKt2CF4v2dDkf3c4kvALKxcY/eyBRHB4p4zGRq8dlJDz9rd3DRGpb+mJxa+e3fUBYJeYyy8xzV68xGMu0gbkdjCxG4HsKXCIRK6tbaDNCnEEWsego7UnsBj+Sy6yHfKX8wNsnpbEFAIflF7RWmj4yWXCyqIpe+BPHgrbHwX32xTsuZOB/ZSqzlm3rFsXQk7VAJB7ZHL8Og03rTKebttF88hIfM3/2S+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=9VkxY8MVNZQ3wRY+kWlzA3r4iNVHZrQxsngfWmk+QsY=;
 b=iTTz7whrDuiXmtTNNa40eQ2rxrJIYqmLDn/VLVCvXMkdsFS3d9tb8QCR7tdI/OWepG0WwJqkc2SYYTh2SFKP9AJ3dhis3ho1ypOhpcQKp9pPLNWTkKFi+kxSbgOmw1cGSNIXDYTQKFHE0tR4F9mogjNITHEsydzRYSF05f2o6lLL8PxuF4kjORXQlOeHEheB/DL9E5dJBvRS0URl2VkHr+G98yrINW+inwKHREf8jxhGT0MK13Y++eCkhzBVlH36pgq/Fzj4SsR8HOBxyJdWpIjf3ycXaGNq+WSMVL2SrSa+BcobIcH6KsgSsGY+BLNM5eIwwYyGmGnKsY1GccHuJA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=9VkxY8MVNZQ3wRY+kWlzA3r4iNVHZrQxsngfWmk+QsY=;
 b=oZmL+uHO85rMy/r91wmH+ySmrVQnUT+E6o4g4JAh/NwJzsGXcwcSbHpBMqGWJpYz8VwnlzYcociPiy6S2gr14tEdiPrb1Pf4j3MCFxySXc8OicKkwKGE+O1aOUFOlVU9qMJDyFnCBBPCePhNatyw3TcI+geZGC6zFJOY3k0FFA0AqDIr26F4O1jll7Yf/CFlfpoZ6FLU1KY4sqZiS9HUwXGiE52FsQYea/EQxW5Sjt5PfXUszCbWumhyE4DLjTZhkX6epZD4DepwsXD4emGyACdLPeXxyN52xBOpDt0EQ+/SyuxOnLJRJZL9++K+QJskdODU6Qfd0bEfLpqSJnT3TA==
Received: from CO1NAM11FT059.eop-nam11.prod.protection.outlook.com
 (2a01:111:e400:3861::3c) by
 CO1NAM11HT069.eop-nam11.prod.protection.outlook.com (2a01:111:e400:3861::201)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.13; Sat, 21 Mar
 2020 21:59:30 +0000
Received: from DM5PR07MB3067.namprd07.prod.outlook.com (10.13.174.56) by
 CO1NAM11FT059.mail.protection.outlook.com (10.13.174.160) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2814.13 via Frontend Transport; Sat, 21 Mar 2020 21:59:30 +0000
Received: from DM5PR07MB3067.namprd07.prod.outlook.com
 ([fe80::1133:bcac:caf1:d588]) by DM5PR07MB3067.namprd07.prod.outlook.com
 ([fe80::1133:bcac:caf1:d588%3]) with mapi id 15.20.2814.027; Sat, 21 Mar 2020
 21:59:30 +0000
To: Craig Francis <craig@craigfrancis.co.uk>, PHP internals
	<internals@lists.php.net>
Thread-Topic: [PHP-DEV] [RFC] is_literal()
Thread-Index: AQHV/7TnzVq8KgqAykaFX4QfSFX3w6hTjmVx
Date: Sat, 21 Mar 2020 21:59:29 +0000
Message-ID:
 <DM5PR07MB30673AEA3D86375BF41F7DD6F9F20@DM5PR07MB3067.namprd07.prod.outlook.com>
References:
 <CAFv4g+EXxWsD5jvfbYVKwML7fMCp62vFPfP0VfOmNBLR-tUpHQ@mail.gmail.com>
In-Reply-To:
 <CAFv4g+EXxWsD5jvfbYVKwML7fMCp62vFPfP0VfOmNBLR-tUpHQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:
 OriginalChecksum:1EED8A955CADD205DDFC60A57724AEED16781A2D189AD72F252EC1CEA1F86A0A;UpperCasedChecksum:E94E1C5882DD9F4D9ED833A964D2D7D28DB7D427B5B9D5C0B93631587FCF4B07;SizeAsReceived:7091;Count:45
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [DoYliTRGvT05uxbKFlkUt4SG49XS4TDr6OVPMR5Y6rXIBtERo41PrffzKDFn9qzT]
x-ms-publictraffictype: Email
x-incomingheadercount: 45
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 7e2e18ac-5049-4d70-a28c-08d7cde32189
x-ms-traffictypediagnostic: CO1NAM11HT069:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 lcg4qJ9KZzn/XaoqvHdOWnpfrhWCwlxF/2T9Zadgdc/ogd5Wy/WhnME/WxsMgr29jWpqqRJ6Yz70FVT8oyojIl/L0JVjyXMZORehriqJotsAlzsT/ME4QEY/VHzZViJHnzHBX7RG9nNDJExzJkSVXvUwalNgC8PdW5yxRHwkqMjbe489zyjnPxMNzzoSyTomU+Ssno+ZyF8KShzyALwuTknfTCU+Tjlc+KNwQ9yzGwU=
x-ms-exchange-antispam-messagedata:
 jsBWh0kDmq2frDtTZSAFsoE/80aGKtZM7rAG5yIx2IDnRnc5eJdb02b7i/LbrBfkSQ3rXpEgIhp39TCtJL2tFBDQC8iN9PtIEgpx48qjDXQj+X/TEkkuFilKgCK79B8vqPwC5PtGZZHY4iWrl+iHaLFiP+JQw44Z5V3SbCJRhWDFszmx8QymJlxyp20cgFrKe1oFrN7o991O5XCYy/KWkg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 7e2e18ac-5049-4d70-a28c-08d7cde32189
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2020 21:59:29.9153
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM11HT069
Subject: Re: [PHP-DEV] [RFC] is_literal()
From: tysonandre775@hotmail.com (tyson andre)

Hi Craig,=0A=
=0A=
https://github.com/laruence/taint#taint=A0notes that=0A=
"Please note that do not enable this extension in product(ion) env, since i=
t will slowdown your app."=0A=
=0A=
- That repo already provides is_tainted()  http://docs.php.net/is_tainted=
=0A=
=0A=
  A fork of that repo would theoretically allow implementing is_literal() a=
s described in the RFC - is that the implementation plan?=0A=
- The slowdown would be a large problem if this feature was always on.=0A=
=0A=
  And if it can be implemented as a PECL module, that would be more prefera=
ble to me than a core module of php.=0A=
  If it was in core, having to support that feature may limit optimizations=
 or implementation changes that could be done in the future.=0A=
=0A=
If it's implemented in the same way as taint (i.e. cannot be used in combin=
ation with XDebug, blackfire, newrelic, etc),=0A=
that would also be a problem for including it in core.=0A=
If it wasn't, then it'd slow down concatenation, calls, etc. even when the =
application didn't need is_literal.=0A=
=0A=
I also imagine that whether or not opcache was enabled is likely to affect =
whether or not=0A=
something ends up being a literal or not=0A=
(e.g. opcache can evaluate functions such as str_repeat() for literals at c=
ompile time)=0A=
https://github.com/laruence/taint/blob/master/taint.c seems to already supp=
ort a whitelist (php_taint_override_func),=0A=
so that isn't insurmountable for functions,=0A=
but it's possible `if ($local =3D=3D=3D 'literal') { process($local); }` wo=
uld only satisfy is_literal() with opcache enabled.=0A=
=0A=
Related projects (static analysis instead of runtime checks, though):=0A=
=0A=
It's also worth noting that `vimeo/psalm` had an in progress way to detect =
some ways in which tainted strings may be used by applications, based on a =
paper by Facebook.=0A=
(https://cacm.acm.org/magazines/2019/8/238344-scaling-static-analyses-at-fa=
cebook/fulltext (for HHVM, though))=0A=
https://github.com/vimeo/psalm/issues/611#issuecomment-515153305 - but it i=
sn't completed or usable yet, as far as I can tell.=0A=
=0A=
Wikimedia also created https://gerrit.wikimedia.org/g/mediawiki/tools/phan/=
SecurityCheckPlugin/ , but that's currently beta.=0A=
Both would have ways they fail to catch every way an argument could be pass=
ed to a function (e.g. unanalyzable dynamic/framework calls)=0A=
=0A=
- Tyson=0A=