Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114848
Return-Path: <matthewmatthew@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64575 invoked from network); 13 Jun 2021 21:14:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 13 Jun 2021 21:14:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 7686D18050A
	for <internals@lists.php.net>; Sun, 13 Jun 2021 14:30:23 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <matthewmatthew@gmail.com>
Received: from mail-ua1-f54.google.com (mail-ua1-f54.google.com [209.85.222.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 13 Jun 2021 14:30:22 -0700 (PDT)
Received: by mail-ua1-f54.google.com with SMTP id e20so1533332ual.9
        for <internals@lists.php.net>; Sun, 13 Jun 2021 14:30:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=y7u/WdsdHiD3t8Vv3HjH5WjA57781qf+NSl0F1hneVQ=;
        b=oxYBqwSPKfyOrlLvz+grR1pUfq65L3d0xOG1yhuH/g3GM7UYgK00oQQVFCijP2/rz2
         RjMHNnd4q+PpR6J5Ek0vRwZaOrl55thSDOYayFCtV3bgpSDIRR+1HO2Tkv60EAjqA7Fb
         rfYqDPAEMHW7rB6+sB+dVMvx1Ejf2tuW6ZnZ222y6RY9bYBlzCtKL2Gzg05JVtIRv43u
         fiscP9vgIyeWqgT+EjtfNNtyBOVZnaa7JKIMzZqN+/40W6ArSVkVlc/ZJXxnkKPSnLLK
         bmsQbCIyl2EVL9lyDCvigiC4ZW3aMDOlBT7sIkGj4TAeUQ715nBKGqt7IA9mrMnIFE/a
         7Cnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=y7u/WdsdHiD3t8Vv3HjH5WjA57781qf+NSl0F1hneVQ=;
        b=moySsWxd3aNCN2H5C6/Ev7ItkpfojPIHLSZMJMUc8HYZqAAatiGe5sfXqTSqPisxG7
         3jNhfvRqjOt7q6NUEfON04Y7PLQ3OQma1JOnHAbmVVi0uTfNlAPHrlhRBwqrir1Xk5kI
         s9mg3o/kiQ4K/8sfrZ7/79Ik95ZLyO9QJ3m2DY2KSWQrMVMd0PUHgZZcFEbN2fHNtwSp
         NNRzILk/CCnlZ0LHv0+WOe7Vvu01JJyZDHtPWtrzJ9GSLeoZpi308nGyYYQocGS7Ru3x
         8YfCX/opxR/E5tpEuE3clAPKL7nY7RprYuI6j61hkWTkSHt9QjdpHzPHCJ4fOF9F+QMl
         LL7w==
X-Gm-Message-State: AOAM531frIkBnphLsO5E3Jv0yNZfHpASXYOduXrlDQIoq03p/h3MaqjQ
	w/HrfGOkeSfx36bHBQkbR3/IlLBXJ3bTqwlDpr0=
X-Google-Smtp-Source: ABdhPJyOuZjauqJoSaO94lmdwsIUe4tKrOPKp+JrVVUY8HTRSW5vOj6yQglwDOSwDQ0dQpgRupdGBHLvvtRBiAUAwSg=
X-Received: by 2002:ab0:a8c:: with SMTP id d12mr10028249uak.47.1623619817652;
 Sun, 13 Jun 2021 14:30:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
In-Reply-To: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
Date: Sun, 13 Jun 2021 17:30:06 -0400
Message-ID: <CAKuGYLQzPAHGNTYwJne821DK_NHB-0Tw2Ejr3Z+C+m_B0QG2iQ@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000007b459105c4ac727f"
Subject: Re: [PHP-DEV] [RFC] is_literal
From: matthewmatthew@gmail.com (Matthew Brown)

--0000000000007b459105c4ac727f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, 12 Jun 2021 at 13:00, Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi Internals,
>
> I'd like to start the discussion on the is_literal() RFC:
>
> https://wiki.php.net/rfc/is_literal
>
> is_literal() brings a proven way to identify Injection Vulnerabilities to
> PHP, already used by Google in their Java and Go projects, and is current=
ly
> being added to JavaScript. It's a lightweight and simple approach:
> "Distinguishing strings from a trusted developer from strings that may be
> attacker controlled", allowing Libraries to identify the mistakes made by
> the thousands of developers using them incorrectly.
>
> When Libraries use is_literal() to protect against these mistakes, we can
> trust their output, and (as covered in the Future scope section) PHP can
> then raise warnings with certain native functions like PDO::query,
> mysqli_query, exec, preg_match, etc. (we would only consider warnings,
> anything stricter like exceptions would be in many years time, if at all =
-
> the intention is to alert and inform people, not break things).
>
> The length is due to the FAQ Section, on why it's needed, how it can be
> used by Libraries, and the important differences of using this flag versu=
s
> the flawed Taint Checking approach with its false sense of security
> (error-prone escaping).
>
> Thanks,
> Craig Francis
>
>
> PS: If anyone wants to discuss face-to-face on Zoom, I'll be available (U=
K
> Time/BST/UTC+1) at:
>
> https://chat.craigfrancis.co.uk/
>
> Saturday 12th June, 6pm to 8pm;
> Sunday 13th June, 10am to Midday;
> Monday 14th June, 5pm to 7pm;
> Tuesday 15th June, 9pm to 11pm;
> Thursday 16th June, 10am to Midday;
> (other times on request)
>


Hi Craig and Dan,

I was skeptical about the first draft of this RFC when I saw it last
month, but now I see the light (especially with the concat changes). This
looks like a very solid solution for any library authors wanting to add a
layer of protection against SQL injection attacks. Sorry for any
unnecessary grief I caused.

The only remaining issue I have is performance =E2=80=94 Psalm and other st=
atic
analysis tools perform quite a lot of concatenation (and never have to
worry about user input). What sorts of slowdowns do you see when running
those tools?

Best wishes,

Matt

--0000000000007b459105c4ac727f--