Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115043 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 19320 invoked from network); 22 Jun 2021 19:43:06 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 19:43:06 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 400821804D8 for ; Tue, 22 Jun 2021 13:01:26 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 13:01:25 -0700 (PDT) Received: by mail-pf1-f170.google.com with SMTP id c8so428764pfp.5 for ; Tue, 22 Jun 2021 13:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:from:to:cc:subject:in-reply-to:references :user-agent:message-id:content-transfer-encoding; bh=qbMHZbQ56sAzjin4bYn4oakiairLZggvTsL3qGEqsQo=; b=iQE6bgU2wtJWxxllLUBQiiJpWuuzpFnlW4AXLL/PTAa/YuWaYhf6Yzi6GVBWSM8oYo iC0plj/28HqH1vW9V6XPFAqCjIST6KV+0jLfGNFWUxeQ206Wa1nd5WKNwXSHuztmw66i dVN0fRzlM2ODWjkMqp4kkPyXy49xYLhWE2QehQ+vuTBnqfTpwj3LpvSn6aRXA5vZNTeC Jk2o71btv/0RVY8N8AZffYqWStS+Uk1CiP7NqxYBsyg4ySM89NzCOBF//9ZugD/ZPU3z oo6mYmX8Gp9ttmfomGt0EzAb4+4iIqucm08IFPAu4TWKdo8T+lsv2cwvo1SLx2QEDzpf aq8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:from:to:cc:subject:in-reply-to :references:user-agent:message-id:content-transfer-encoding; bh=qbMHZbQ56sAzjin4bYn4oakiairLZggvTsL3qGEqsQo=; b=Qeuas21WY2/k6nTzGhWbNj8F0kdZKVIZUI7ELqKmjFgmsW/Q0YD8iy669s4saL9Nr5 dJ5C3+4kvhBJzbNzfljMXK9drZ1dAIK/c+FVxgaacZQ0yl/gR5CFy2alWaV/ChznrdPZ /o0NhxFC5MCQkVrdjY7XRRSN99E8Qw6Iiq+oWFpC0wSWMX/TzfgH3pIzaNmLR5uHZHbI D5+vd2oPrDJ/G6XRAIjKyhU78YvJafzLlTZ8rk35ruOdspmmuIp40/wBl80pshS+I45P qzYpXlJyBguXjrkUSTLyhYpea16FYf1kaPnIk1pFdVDgmTFmNywUTsXPcLSbl8V4X+QR Hm2Q== X-Gm-Message-State: AOAM531w4luo2kpVWEfxcD9Gr3FoAvkqpQn0v7oB/QcH5a1Y07vstHi8 YmliC/gZkE+6IT3oqAxH4aQ= X-Google-Smtp-Source: ABdhPJzLUKWdfF47vh/+sPq8uSdQaUR8LlGeZ+zCwYMyNWtVxfkB5q/rVl+gCqN85Gap/4CJ0Pg4FQ== X-Received: by 2002:a63:fc06:: with SMTP id j6mr346479pgi.226.1624392083194; Tue, 22 Jun 2021 13:01:23 -0700 (PDT) Received: from k-piste.fi (k-piste.fi. [95.179.136.7]) by smtp.gmail.com with ESMTPSA id j24sm156980pfe.58.2021.06.22.13.01.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Jun 2021 13:01:22 -0700 (PDT) MIME-Version: 1.0 Date: Tue, 22 Jun 2021 23:01:15 +0300 To: Stephen Reay Cc: Craig Francis , Benjamin Morel , Derick Rethans , PHP Internals , Yasuo Ohgaki In-Reply-To: <358756DC-87F9-4FD9-AE62-CB27BA296F33@koalephant.com> References: <0CD1762E-6094-4DEB-B1B5-22CFBDAAFF44@php.net> <9B304735-E0AD-4CC0-98BF-AAF4CE5FA52C@koalephant.com> <358756DC-87F9-4FD9-AE62-CB27BA296F33@koalephant.com> User-Agent: Roundcube Webmail/1.4.11 Message-ID: X-Sender: lauri.kentta@gmail.com Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal From: lauri.kentta@gmail.com (=?UTF-8?Q?Lauri_Kentt=C3=A4?=) On 2021-06-22 21:38, Stephen Reay wrote: >> On 22 Jun 2021, at 21:38, Craig Francis >> wrote: >> >> If you can point me to an example where including integers in this has >> introduced a security vulnerability then please do, and I mean it, >> that’s >> what this process is for, I genuinely want people to come forward with >> them >> so we can refine this. > > > It took me about a minute to think of this: > > "select * from customer_purchases where {$column} = :value”. > > The developer inadvertently passes the same “trusted value” in as the > `$column` substitute and the value parameter. It must be safe because > we ran it through `is_trusted`! > > The query now executes as: > > "select * from customer_purchases where 12345 = 12345” > > > You cannot magically make all dynamically generated queries safe - > they tried that about a quarter of a century ago. Hint: it did not end > well - and explicitly allowing some user input is just mind boggling > given the stated goals. Your example is interesting and kind of valid. Looks like there is a bug in the code: $column is sometimes an user-defined integer and sometimes a valid literal column name, clearly this should not happen. (If it was supposed to be integer, you would pass it as a parameter just like :value, right?) Is this RFC about preventing bugs (accidentally used wrong variable) or preventing bad code (user input intentional but used the wrong way)? I thought it was more the about bad code. Bugs can live even in literal queries as well as outside queries, where is_literal/is_trusted can't reach them. Another line of thought: One possible approach would be to accept only explicit integer casts (sprintf %d and %u, and a new function like implode_ints() and/or strval_int()) and otherwise only accept strings. This would avoid the accidental case where $x is supposed to be a trusted string but is an untrusted integer instead, like the given example. -- Lauri Kenttä