Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114835
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34828 invoked from network); 12 Jun 2021 16:44:38 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 12 Jun 2021 16:44:38 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 246B81804AE
	for <internals@lists.php.net>; Sat, 12 Jun 2021 10:00:26 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 12 Jun 2021 10:00:25 -0700 (PDT)
Received: by mail-lj1-f170.google.com with SMTP id d13so1783694ljg.12
        for <internals@lists.php.net>; Sat, 12 Jun 2021 10:00:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:from:date:message-id:subject:to;
        bh=1P3OoBeQZ/md8UXtEAuJt6xuETGBPwdfhNlTpDfBgPw=;
        b=GnFLKzOfXYz5DH1LS8fZhoLe7QGHqNWZF0kWJqCsXFmhHXtbntWRdaO8z5321fo/7K
         ZmUPJLkICkzWhFQovREz9suPY5iiob4Dp0rdPZqCHejNpVp5FskPtdnInuf2T5SsxxAZ
         E2LK7AS2TsaosGYiWHPv5zAsQ6qJVQBk1FwYo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=1P3OoBeQZ/md8UXtEAuJt6xuETGBPwdfhNlTpDfBgPw=;
        b=nyvssHSbNLwBGAkZfK2LXS1czi1zRW+sbMv1gDg2PulrNV6w8Vs455hkPbCjtdyW2S
         ZQBJFEZBVu9/qMgcZDZu1Hl5H9kjOIj7KTxz7UVn7BMFVZ6WVJwD34OfxamfXoqKNsBf
         nVFeuD9sb2Tsdm2DrY00HDgiP1GYJprpoJjA1i5sWvNUyxmwVwrI7whtGdrjvKMf9Okv
         D9q9wmZHcgN5/Uue8DrNLkgzcIeZ8wpqOIMmdscIyusG8dcob/u0e+oHUapgKb0Gg+d9
         TjPHiRPKb0If/1NeFyUvsCw0uGZ4ew/JmFftilzJToxe2CsFtQTpaTqcynWDTxcHLt0w
         W/Pw==
X-Gm-Message-State: AOAM530cc98yPnerop4CIdccUzJiL0UL67SHyyNJdk9GiH05CC+ZNcEM
	2VGTfNQJM4ZuZoRQf0HzBKqyR7FgNCeZ2u688YBGFJyUh3iwfZtZ
X-Google-Smtp-Source: ABdhPJy7z1lW9+fNFTyZYG3RlqM7/8MxOlprm66qWLEyAdZNlNnUas/4ULLoEsc6gkz/abv2hXLEzE0SxqdthIxHq70=
X-Received: by 2002:a2e:5c42:: with SMTP id q63mr5671079ljb.23.1623517223167;
 Sat, 12 Jun 2021 10:00:23 -0700 (PDT)
MIME-Version: 1.0
Date: Sat, 12 Jun 2021 18:00:12 +0100
Message-ID: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005fba0805c4948fb3"
Subject: [RFC] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--0000000000005fba0805c4948fb3
Content-Type: text/plain; charset="UTF-8"

Hi Internals,

I'd like to start the discussion on the is_literal() RFC:

https://wiki.php.net/rfc/is_literal

is_literal() brings a proven way to identify Injection Vulnerabilities to
PHP, already used by Google in their Java and Go projects, and is currently
being added to JavaScript. It's a lightweight and simple approach:
"Distinguishing strings from a trusted developer from strings that may be
attacker controlled", allowing Libraries to identify the mistakes made by
the thousands of developers using them incorrectly.

When Libraries use is_literal() to protect against these mistakes, we can
trust their output, and (as covered in the Future scope section) PHP can
then raise warnings with certain native functions like PDO::query,
mysqli_query, exec, preg_match, etc. (we would only consider warnings,
anything stricter like exceptions would be in many years time, if at all -
the intention is to alert and inform people, not break things).

The length is due to the FAQ Section, on why it's needed, how it can be
used by Libraries, and the important differences of using this flag versus
the flawed Taint Checking approach with its false sense of security
(error-prone escaping).

Thanks,
Craig Francis


PS: If anyone wants to discuss face-to-face on Zoom, I'll be available (UK
Time/BST/UTC+1) at:

https://chat.craigfrancis.co.uk/

Saturday 12th June, 6pm to 8pm;
Sunday 13th June, 10am to Midday;
Monday 14th June, 5pm to 7pm;
Tuesday 15th June, 9pm to 11pm;
Thursday 16th June, 10am to Midday;
(other times on request)

--0000000000005fba0805c4948fb3--