Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114962 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 33803 invoked from network); 18 Jun 2021 17:05:51 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Jun 2021 17:05:51 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id DEC1A1804C0 for ; Fri, 18 Jun 2021 10:23:09 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 18 Jun 2021 10:23:09 -0700 (PDT) Received: by mail-lf1-f48.google.com with SMTP id x24so17812337lfr.10 for ; Fri, 18 Jun 2021 10:23:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vOYSkmDdObDpey0F2mfSI7b0kkt5JcQ7K1fvdx+yy6o=; b=FXh4wlNZ/WkCNEc5BPeK7e/mVS7GBbpiA+6l/JZhUu2483ZNEBj8xMi522Cb6mp1h7 /CmqBb9fx9JRZc4ivVOpgQWLf5bylfK/CAwtZ+wFDKxqIHeFYEMzc/GzMq/8zIyXT/Vh EfdNcNqWblrJeZktKB48gW232CMBODYvIKBtE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vOYSkmDdObDpey0F2mfSI7b0kkt5JcQ7K1fvdx+yy6o=; b=A9jLN72yiPWjmQSpW4f91ryDKXUXl104aD9gL68QAkrIVFINIkbIqjxwH/dUmBEQCD RO9rULrh2yPRjHBr51CvjEtdUWLbPDd7xQbTxArF8Fk5Jxlkk4DveK9nqCPhu+BarRwi 4IszQIl7dbOCisYkgUVeaZvQW5K2pyFu/qx7Ltszcr2pXPWlc7zEz9ASkCkkQ4tiuhdy fA1cvswn3ewJXO2eLEO/TmHQLv3syrHOEcB0+OSS3qV3diPraooaX5dSyzhmhKhX1mts bObXGQb3QYkYNBY/BasWxZO2T1jw4XuY01A9lIcSw7WpKQVPea6uwEb/HgEv1iTvcjaB 97WQ== X-Gm-Message-State: AOAM531q0TN9VKpyU3d5dT3IGWwmikY0B6BQ87sl5/C2uBl9XH6+YFzY grfme0WLa54F1ytB+4lcJGqLOmXQJ6IJ9vmi7ChJew== X-Google-Smtp-Source: ABdhPJzBl1ZWUC4ZBBHjZfdK6Ua2NUKSXNR6s81rWA7InhFMPXvFzCgR9YHN1+gy5CguZHD7qUxhSaHsRozPyPczNto= X-Received: by 2002:a19:a406:: with SMTP id q6mr3960471lfc.616.1624036987343; Fri, 18 Jun 2021 10:23:07 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 18 Jun 2021 18:22:56 +0100 Message-ID: To: Bruce Weirdan Cc: Guilliam Xavier , PHP Development , Pierre Content-Type: multipart/alternative; boundary="000000000000bba87905c50d93cc" Subject: Re: [PHP-DEV] Re: [RFC] is_literal From: craig@craigfrancis.co.uk (Craig Francis) --000000000000bba87905c50d93cc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 18 Jun 2021 at 15:47, Bruce Weirdan wrote: > One would be potential denial of service prevention (e.g. with enormous > `LIMIT` value where only a limited set of ints was intended. > [...] Here you really *don't* want $allowed_ids to include user input. The developer is writing this query to find those IDs and what the developer asks for is what they get, the values inside that list came from somewhere else and *that part earlier* is the bit with the unknown vulnerability that allowed the value in there. I can=E2=80=99t address logi= cal flaws from the Developer; what you=E2=80=99re describing is a different iss= ue. This RFC is to help prevent Injection Vulnerabilities, and it can=E2=80=99t be a= n Injection Vulnerability because the variable doesn=E2=80=99t contain comman= ds, it=E2=80=99s only containing values. We cannot create anything entirely =E2=80=98safe=E2= =80=99 there=E2=80=99s no such thing as =E2=80=98safe code=E2=80=99, and neither I or anyone else = can hope to create a single RFC that can do that. If we just use the original is_literal (without integers), the only difference in your example will be that, when using integers for something like this, the developer will need to use a Parameterised Query instead (because we=E2=80=99d only be accepting literal strings) to do the exact sa= me thing, and get that same outcome. Overall I think allowing ints in literal concatenation without tainting the > result as non-literal is a mistake. To counter this, supporting integers makes adoption easier, and it=E2=80=99= s not causing any security issues. I prefer something that more developers/systems will be able to easily use, especially when updating existing code. > BTW, Psalm already distinguishes `literal-int` from `int` > Psalm is its own engine - it=E2=80=99s looking at the code, not running it,= so it=E2=80=99s not negatively impacting performance. However PHP itself cannot do this, integers cannot include a flag to state if they came from source code, because adding would have too much of a performance impact. Or to quote Joe directly "We can't really do that, non reference counted types are stack allocated, ie the zval on either side of a call boundary are unique." We can=E2=80=99t split integers into two groups. It=E2=80=99s accept intege= rs or no integers at all. And no integers really isn=E2=80=99t feasible for most dev= elopers. Craig --000000000000bba87905c50d93cc--