Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115028 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 75899 invoked from network); 22 Jun 2021 14:20:49 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 14:20:49 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4DD94180532 for ; Tue, 22 Jun 2021 07:39:06 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 07:39:05 -0700 (PDT) Received: by mail-lf1-f52.google.com with SMTP id i13so36292714lfc.7 for ; Tue, 22 Jun 2021 07:39:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mQBDg5AcG0gTKdI9/XgPvXmEqNpu9aL7b8Iw86kYCMA=; b=Z2G44PQ67OLT5FzweCaPOlUUzNuGW+8TDzlL2oYI+j76lg2pgbt7w4UeKZHFGpXC9C la7s3gD49tRVkCRaJb7zcQUJfDfZpD57J8yF69cX1gFke5ZoGYZJYpSUNpzqGwWtM7zH TEgqQglDNwbCOxdtAsF9kKooKJSKLictQlOY4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mQBDg5AcG0gTKdI9/XgPvXmEqNpu9aL7b8Iw86kYCMA=; b=Sz1UjdAKs0oS5mDRsAZXh0DnrgMt0xWpfjk/JvMcg+UZaf8fKXMrxwC6Ul+X7b/r/X u1sPB69zCY6qt09Tr1UttmJUHnRVTIMlaL6/lZmzIap6M91SOMQ8yefPH5OatodTRq3r 9RdO/KV8shb2zC2z+mpvgAsPfXGWZuHqFWONkUpBMVf9mUz8KrO7Xa0WSoIMQ5+0RTSN sj4N25aF3MquD8A0tPkgNbHWk83SV8p0dXGPq7V5G5jERyHj5MSVBxQVH4/92FmjwXGq yF270kT6uAnqsCgkOtsrKj+d3aA/isJQxJnWH7XX2HNYOk1bpkAAkKmNBZ6QKl56snuS lSXQ== X-Gm-Message-State: AOAM532qn8i9ii38tOWZ9gjVr0W0knEgNDB/fb7ZFTGlKvV8hO5h0tLw Xpz+F8ANZiQqh6BFuhFQz/U8sZFRCIpfKeHGQyWXKg== X-Google-Smtp-Source: ABdhPJyMdMY/Z2VDxuiQnrW5C8J06S3cL9iqenTmpGqzL/4Ua69gsmMn7gOxJ+Lpb3FNAdAXLyfsPpZdT1LTKaIxqOA= X-Received: by 2002:ac2:4a61:: with SMTP id q1mr3145232lfp.572.1624372743226; Tue, 22 Jun 2021 07:39:03 -0700 (PDT) MIME-Version: 1.0 References: <0CD1762E-6094-4DEB-B1B5-22CFBDAAFF44@php.net> <9B304735-E0AD-4CC0-98BF-AAF4CE5FA52C@koalephant.com> In-Reply-To: <9B304735-E0AD-4CC0-98BF-AAF4CE5FA52C@koalephant.com> Date: Tue, 22 Jun 2021 15:38:51 +0100 Message-ID: To: Stephen Reay Cc: Benjamin Morel , Derick Rethans , PHP Internals , Yasuo Ohgaki Content-Type: multipart/alternative; boundary="00000000000057dc0605c55bc04d" Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal From: craig@craigfrancis.co.uk (Craig Francis) --00000000000057dc0605c55bc04d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 22 Jun 2021 at 3:05 pm, Stephen Reay wrote: > > On 22 Jun 2021, at 20:13, Craig Francis wrote: > > On Tue, 22 Jun 2021 at 09:59, Stephen Reay > wrote: > >> So I just want to make sure I understand the progression on this so far. >> It started out with people wanting a way to check that a string was a >> literal string, in code somewhere, and does not come from user input. Ok >> makes sense. The name makes sense too. >> > > > > The primary reason was never just to define literal strings, the intentio= n > has always been to create a practical, implementable solution to address > the issue of Injection Vulnerabilities (SQl/HTML/CLI/etc). > > > Preventing injection vulnerabilities may be your *goal* but I=E2=80=99m t= alking > about the *intended behaviour of this one function*. > I understand this is not the one true perfect solution, but that solution does not exist without tanking performance and never being accepted solely on that basis alone. If you can point me to an example where including integers in this has introduced a security vulnerability then please do, and I mean it, that=E2= =80=99s what this process is for, I genuinely want people to come forward with them so we can refine this. The only thing that you could suggest as an alternative is to not include integers at all. That is not realistic for the reasons I=E2=80=99ve stated = not just here, but in replies to others, and the RFC itself. So if we can=E2=80=99t = do that, and we can=E2=80=99t mark developer-integers for reasons mentioned before, = what else is there? That we just don=E2=80=99t do it?? Torpedoing the idea because it is not 100% idealistically perfect, and ignoring the fact that it, (as it stands right now with integers and all), **Prevents Injection Vulnerabilities** - the most common security vulnerability that dominates the top of the leaderboards again and again - and does that without adding in any new security vulnerabilities, is just nonsensical. Craig --00000000000057dc0605c55bc04d--