Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114836 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 38906 invoked from network); 12 Jun 2021 17:30:17 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 12 Jun 2021 17:30:17 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A506E1804D1 for ; Sat, 12 Jun 2021 10:46:05 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 12 Jun 2021 10:46:05 -0700 (PDT) Received: by mail-ot1-f47.google.com with SMTP id 6-20020a9d07860000b02903e83bf8f8fcso6497921oto.12 for ; Sat, 12 Jun 2021 10:46:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fvUwcFn8L1A7x9p51SyG94/OxtUZYONZH5qbTxQy76k=; b=sxtwrRxNFs6yEnIJX0hGhzW9c6OrwH7tJ3aKQOxvNvHKSo7rTXV8kSWe+OxTB5QjRq hxXgqlQWpqXVGSq3tNfUH4Cb7fbZLHlWkEiluZcGJL4EkfxlrqevF7MeP3+lJF+1hqLv cO9SS//9KgSgwUZiN+7ZohRGTUHEBVWRuKBMJopfRiHibewuyIcJ2RY1YADGzYzhTw/c P9mS/jVhGH6Ov+KOJR8tRuBH7xm7ASazxbWPbSxtnBolBskzIUSf0Ayis/T/pHRoRf1p 2YbM3NWTf3p3QQyhrA32OcbDvvl0qX7NyLkq59y0tcN9Jk+qVVtYjZCn1HhoyCk8xzUG fWmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fvUwcFn8L1A7x9p51SyG94/OxtUZYONZH5qbTxQy76k=; b=e1NUKIi1Xn1Q6qOjE+gGnRFAQaYvWhI0NIgAhrv5Ioyr0SWMUT9r/ZbPHeYmcAsbUu rxTVaKaDFLiapPUXJJxgdLtWcQcThrOjJUhixgfj9iTywJDK6zGo1xQ0vtxMRTd+pOlK e0QXJTu2+hHMNJf82uIswUdYoJxl3+NQnbfWkDmHFvaiwLasl/UN/fFMCrbQIO1/aAVR XL0pytL4oeUvDjHjT1mjWvi8ktNXBUtzKy8V/GHoy+nEtfGhZgLEQahVORyxfAxXFo1h 8E7vxu5Eo4/ZJ7LU12d1cnBlgKT9T16iI0xqhWrt0K23RlxF/n9FGM4dr5ZlkCRop+Da 2XWg== X-Gm-Message-State: AOAM5303Cd3NjC90ukC7j1kY4qUs/wYkudjtARWQp4ZQl5U9HpJktFZ3 K4gALMIzSWDdVLe9HwpsJRLyQHEAP0s0h3HQbHxenL+tT4E= X-Google-Smtp-Source: ABdhPJwlNcJIPTS8ECd+HZ/JowXkjY+SttXMS8TfwRxhsB78haLRImVeFspeXsaVbjaVzRYnPjWhvoR1FtzH7zAHfJ4= X-Received: by 2002:a9d:6285:: with SMTP id x5mr7665275otk.278.1623519963800; Sat, 12 Jun 2021 10:46:03 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 12 Jun 2021 19:45:53 +0200 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000ba696a05c495328f" Subject: Re: [PHP-DEV] [RFC] is_literal From: krakjoe@gmail.com (Joe Watkins) --000000000000ba696a05c495328f Content-Type: text/plain; charset="UTF-8" Afternoon all, While this is not at all my idea, I wrote the patch, so my words may seem bias/hollow. Still, here are some words ... In the past this kind of feature would have been extremely invasive, it would have had so many edges because of the way we handled strings that it was never really feasible. Today the implementation of this is not particularly invasive or complicated, and it lends a very useful tool to the developer. This starting place, of second class support seems like a reasonable starting place, but there is a possible future where we have first class support. This may or may not be appealing and we'll be in a better position to judge when we see how this may be used in the wild. Cheers Joe On Sat, 12 Jun 2021 at 19:00, Craig Francis wrote: > Hi Internals, > > I'd like to start the discussion on the is_literal() RFC: > > https://wiki.php.net/rfc/is_literal > > is_literal() brings a proven way to identify Injection Vulnerabilities to > PHP, already used by Google in their Java and Go projects, and is currently > being added to JavaScript. It's a lightweight and simple approach: > "Distinguishing strings from a trusted developer from strings that may be > attacker controlled", allowing Libraries to identify the mistakes made by > the thousands of developers using them incorrectly. > > When Libraries use is_literal() to protect against these mistakes, we can > trust their output, and (as covered in the Future scope section) PHP can > then raise warnings with certain native functions like PDO::query, > mysqli_query, exec, preg_match, etc. (we would only consider warnings, > anything stricter like exceptions would be in many years time, if at all - > the intention is to alert and inform people, not break things). > > The length is due to the FAQ Section, on why it's needed, how it can be > used by Libraries, and the important differences of using this flag versus > the flawed Taint Checking approach with its false sense of security > (error-prone escaping). > > Thanks, > Craig Francis > > > PS: If anyone wants to discuss face-to-face on Zoom, I'll be available (UK > Time/BST/UTC+1) at: > > https://chat.craigfrancis.co.uk/ > > Saturday 12th June, 6pm to 8pm; > Sunday 13th June, 10am to Midday; > Monday 14th June, 5pm to 7pm; > Tuesday 15th June, 9pm to 11pm; > Thursday 16th June, 10am to Midday; > (other times on request) > --000000000000ba696a05c495328f--