Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115058 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 6006 invoked from network); 23 Jun 2021 11:01:13 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 23 Jun 2021 11:01:13 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8DF651804C3 for ; Wed, 23 Jun 2021 04:19:41 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 23 Jun 2021 04:19:41 -0700 (PDT) Received: by mail-wr1-f45.google.com with SMTP id m18so2227583wrv.2 for ; Wed, 23 Jun 2021 04:19:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:from:message-id; bh=/xIk9mfl1dZ0NPR0cRtTNdZlOmwYETLPipIFrdf91zo=; b=OUaMN/xIACEKdJMAASpS+dCV0MeT+LU/LnFhNyewECAonwPQwiUEjvtmmyrvJODo85 pPC5Ixw1d1/MjSfnbmAoVadRG7iwHb8IPOeN4jn4Aul6J+5+uwVqJ8YV7gCtRTw6C7oS 6AwO31DMqbqmdcF/Z7sITjgE4vq2S5JHVUix4MT80QR+cEJxjD39wsNaOmUNAqwus3P+ n6Ss9AHf0r2J2Zt243XuxEix7R855rafg3Vwhb4KqPD52+qxCuU2sJS7z/yih9cwDgA7 9x0jNjPpjjSs1ymRFAtBwKRtnuDLNI93EYv8YWSnpSMtghdHtBSQSIDjVLy/YqSpcUx8 TiGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:subject:to:from:message-id; bh=/xIk9mfl1dZ0NPR0cRtTNdZlOmwYETLPipIFrdf91zo=; b=QJAJqo3d4U5jYSannIl2ip2XLDXw2jB5ui3oYPeEVfwbNZsk2FRE6PxnH9NkjgmfMv h526c902gP8af31vSo+35nUe14aSRZnQQkKYzveoh885GNwrOM8i0s9+DEks3qgQ2+Fq BX4Tu7LhNa3lRK+3iKuWnSerllPZXEm7YndV8EecxgGn6Fl+nYqjHcwHBhbG9XN045iM oaSo0lfGwA6MOJGNCqSMXFfWQE6tQMv8fEd9zFHoJapaOi5//zsS3HrMRfUoGg/7Fenx h/kFQhdySqYdiH7uJneTOqTNBgt8RRcsA8YVaRjjeqeJUYjbDsyKQ20Ee+1su1agvWWF D9CA== X-Gm-Message-State: AOAM533oi1RvJ8XxePN8UryBjpmi1mjhdQutllSRvzjuMhXBRRwnaIU0 oFM9N4JLNzJiT5rrLLXgaUEQhrCTamQ= X-Google-Smtp-Source: ABdhPJzqjT2GTxhl0VHeWqVFvHAOn/lKqp1dGyVnhSXELaWtxNlEUymSXSH5ATMZtrtNamg/eQCOXA== X-Received: by 2002:adf:f688:: with SMTP id v8mr11004837wrp.209.1624447177564; Wed, 23 Jun 2021 04:19:37 -0700 (PDT) Received: from [192.168.0.27] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37]) by smtp.gmail.com with ESMTPSA id v1sm2570787wru.61.2021.06.23.04.19.36 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Jun 2021 04:19:36 -0700 (PDT) Date: Wed, 23 Jun 2021 12:19:35 +0100 User-Agent: K-9 Mail for Android In-Reply-To: <7D9709D1-2607-4CC5-8B99-A2CB5ED22E47@newclarity.net> References: <0CD1762E-6094-4DEB-B1B5-22CFBDAAFF44@php.net> <7D9709D1-2607-4CC5-8B99-A2CB5ED22E47@newclarity.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: internals@lists.php.net Message-ID: <8EFB7341-CD68-40E8-9DB2-B310DEFB6921@gmail.com> Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal From: rowan.collins@gmail.com (Rowan Tommins) On 22 June 2021 10:09:50 BST, Mike Schinkel wrote: >For my inspiration take a look at Trusted Types API in Javascript: > >https://developer=2Emozilla=2Eorg/en-US/docs/Web/API/Trusted_Types_API > There is an extremely important difference here: there is no single type i= n that system called "TrustedString", there are separate types for each con= text ("injection sink")=2E The W3C article calls this out explicitly: > Note: This allows the authors to specify the intention when creating a g= iven value, and the user agents to introduce checks based on the type of su= ch value to preserve the authors' intent=2E For example, if authors intend = a value to be used as an HTML snippet, an attempt to load a script from tha= t value would fail=2E This is not just an implementation detail, it's an absolutely essential pa= rt of the concept=2E So let me add my name to the chorus saying that is_trusted() is a bad name= , and the added features that led to its selection make this feature worse = not better=2E Most of a "trusted types" implementation can be written in pure PHP, becau= se all you need is an object with a private string property and some approp= riate constructors=2E=20 The one part you can't do is trust strings provided in source differently = from strings provided by the user, and the original proposal provided a str= aightforward mechanism for that purpose=2E There is no reason why is_literal itself needs to know about "trusted valu= e objects", or have a long list of special cases to construct a string that= is "not actually a literal but we can't think of any way to exploit it"=2E= That can all be handled by the userland code: * Create a class called TrustedSql * Accept a parameter of type string|TrustedSql=2E If the parameter is a st= ring, reject it if is_literal returns false * Or, if a pseudo-type is provided as well, just accept literal_string|Tru= stedSql * If the user wants to provide dynamic SQL, they need to construct a Trust= edSql object using whatever mechanism the library wants to provide=2E That = can include an audited sprintf pattern, imploding arrays of integers, whate= ver turns out to be useful=2E I think the engine should leave the complexities of defining "trusted" to = APIs specialising in a particular "injection sink", and provide the low-lev= el building block they need, which is the original simple is_literal functi= on=2E Regards, --=20 Rowan Tommins [IMSoP]