Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115014
Return-Path: <lauri.kentta@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38004 invoked from network); 22 Jun 2021 09:29:57 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jun 2021 09:29:57 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5943A180507
	for <internals@lists.php.net>; Tue, 22 Jun 2021 02:48:11 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <lauri.kentta@gmail.com>
Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 22 Jun 2021 02:48:10 -0700 (PDT)
Received: by mail-ej1-f50.google.com with SMTP id ho18so33539401ejc.8
        for <internals@lists.php.net>; Tue, 22 Jun 2021 02:48:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:date:from:to:cc:subject:in-reply-to:references
         :user-agent:message-id:content-transfer-encoding;
        bh=7t726spynrK81Ynl5uMl/4p9To89+BNkxBLPQRnIAlM=;
        b=Upr57DzRWtOLFEQINk8ssxP3qZSNfO0mYmTwkvgewyC9S5XatbUh9D9Rv6AKIx07v+
         gQ53pf/G2qj7kVNu6Qh0m0fyhyqHk0RlWKtuCbRKD8sEMYP4FYCsU0/x+quIRA8ddFnn
         IsJrfWvwBZkU02bOFElUYbpc1gCjZ4LNK1yNL0Ml8AYZcq8OZLGBJyMiPBfQpKOAiXnO
         rCQ1FKQkQw6m7A8YWoBo/Co27TZxiMslHUqfw5AIdJgVrNaxvBARfrcuLD7NLTGixL8m
         YknHkHNbqBEbNRmZD2u9oizf94dD3zdmTXn9nUhJlJVVB+FmgHnwhmvSf1BmgPDIgojP
         XnrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:date:from:to:cc:subject:in-reply-to
         :references:user-agent:message-id:content-transfer-encoding;
        bh=7t726spynrK81Ynl5uMl/4p9To89+BNkxBLPQRnIAlM=;
        b=KPRkKxgwnI2sgMdLZ4oltAIsWG7I9X0Bizc5Fmfa2vWFv7fT7d/xNEKANLFSuG70Xj
         n66IwNxUcSZRoAGDBftMaNZ/KRla2jHkKYgvJPCpe/OJqqt8KE0lQj0Zyqp4E0EbpFv/
         1JWfDz+xk2qgONcz0F9DYATcYVPRApIqHgBGsZch97pY3J9CWiI/xsyhqdbIDivqu72/
         mJoK6D1og2Ag1sicnlXk2EJTSWOrN63YMgmYtsW5UfONXrtA+dJ++JrDuxz0SUD3E+nh
         RN19OnBMHVziBiz3IL4Egrgtys9Y/M7YznyZoUaC1PD8s5vwVWR5v2Q9j6i8q8efFI3o
         PqUA==
X-Gm-Message-State: AOAM530sTZ6/d6NvfdnvcJ6uaizjW7VuIv10XMC55MKB6mW0LT91VaRY
	S8CTEgqK98mfaF09psq5QvRnMzKykiA=
X-Google-Smtp-Source: ABdhPJz+V5ONE2TvsfeI2XG4jxTUgdib/0PjHDgxURz8FTvLTEK+FyCX36xzx/n4rzRghn8TpNaD9w==
X-Received: by 2002:a17:906:8a72:: with SMTP id hy18mr2989971ejc.393.1624355289590;
        Tue, 22 Jun 2021 02:48:09 -0700 (PDT)
Received: from k-piste.fi (k-piste.fi. [95.179.136.7])
        by smtp.gmail.com with ESMTPSA id aq21sm6189625ejc.83.2021.06.22.02.48.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 22 Jun 2021 02:48:09 -0700 (PDT)
MIME-Version: 1.0
Date: Tue, 22 Jun 2021 12:48:08 +0300
To: Craig Francis <craig@craigfrancis.co.uk>, Joe Watkins
 <krakjoe@gmail.com>
Cc: PHP internals <internals@lists.php.net>
In-Reply-To: <CAFv4g+GjXqiZkA2fawt7jHDtDAKjB0rv=Lfbcobu7bn8B=wvpw@mail.gmail.com>
References: <CAFv4g+GjXqiZkA2fawt7jHDtDAKjB0rv=Lfbcobu7bn8B=wvpw@mail.gmail.com>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <7b1af9310312e0b1435b93490160e08d@gmail.com>
X-Sender: lauri.kentta@gmail.com
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal
From: lauri.kentta@gmail.com (=?UTF-8?Q?Lauri_Kentt=C3=A4?=)

On 2021-06-21 23:25, Craig Francis wrote:
> 
> - Integers are now included, which will help adoption:
> 
> https://wiki.php.net/rfc/is_literal
> 

Thanks for the great improvements!

sprintf seems to have some issues, though.

Currently you're checking the parameter types, not the formats.
The parameter type matters only when coercing to a string (%s).
Otherwise sprintf should consider the format, not the parameter.

Example:
<?php
function test($s) { var_dump($s, is_trusted($s)); }
setlocale(LC_ALL, "de_DE.UTF-8");
test(sprintf("SET c = %c, f = %f, e = %e", 0x27, 1234, 1234));
test(sprintf("SET d = %d, x = %x, b = %b", 1e2, 1e2, 1e2));
test(sprintf("SET weird_d = %''*d", 4, 1));
test(sprintf("SET s = '%s', int to string should be ok", 123));
?>

Currently:
string(43) "SET c = ', f = 1234,000000, e = 1.234000e+3"
bool(true)
string(32) "SET d = 100, x = 64, b = 1100100"
bool(false)
string(18) "SET weird_d = '''1"
bool(true)
string(41) "SET s = '123', int to string should be ok"
bool(true)

Obviously the results with ints and floats should be the opposite.

If you really want to allow %c, so be it, but I'd disallow it on the 
grounds that (1) it's probably not used in secure strings (usage data, 
anyone?), and thus (2) it could easily be a misspelled %d (for example, 
'%c' instead of '%d' could silently produce an empty result in a query), 
and (3) you're allowing a simple workaround with %s and chr() which 
makes the intent more obvious.

In general, as this is supposed to be a security feature, allowing 
multiple ways for uninformed people to produce "trusted" but actually 
very unsafe values doesn't look like a good idea. I'm not sure if 
allowing trusted single characters to be created through chr or %c 
serves any useful purpose, but I can imagine people using either one 
without realizing that they can create any character, including \0 or ' 
or " or non-UTF-8. Better to leave only chr(), one less thing to worry 
about.

Custom padding is a weird edge case, maybe just disallow that too?

As you said yourself, it's not easy to prove anything safe. ;)

-- 
Lauri Kenttä