Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115157 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3880 invoked from network); 26 Jun 2021 13:28:50 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Jun 2021 13:28:50 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D37021804C3 for ; Sat, 26 Jun 2021 06:48:03 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com [209.85.217.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 26 Jun 2021 06:48:03 -0700 (PDT) Received: by mail-vs1-f48.google.com with SMTP id e26so5744097vsh.7 for ; Sat, 26 Jun 2021 06:48:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=basereality-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m/MoovMWRsjg5CMvO9tnYNIAnOhSvTbfxPCFvI1yR1c=; b=GcCmCqvEwiKj/6GLWoyttS7dM+ROR5+9uKYofwAHVMaKNksezlKojFj5i7hsXK2alF eiJSCWyq+rdwbu71HX2xNE11WmSRuJ3Kb1aASW2XozZlJo7P/1GDURF+c2EBZWAKDj9L 1WRvKsjF3jdL2Zq7fltkn2wWXm9reHF038+SM5wmfTsxf3O/WDp72u+6gve2+K9ncUpZ 8jq8nVe80ITetaqFJgljRaWv9zDGypJcyAp2yqh92NYCsDhBtTQOFtVhbnnSapVlKct7 HShLkIdMx0hburguSZTXh7LLnc8tXq+ywrD/9hzSXs5NPgkSD2pNmHhoRdo3NnwJCuGO 6exw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m/MoovMWRsjg5CMvO9tnYNIAnOhSvTbfxPCFvI1yR1c=; b=XZc/qwdeD3gaHSfwTdO0qcKSpAIxofkXPPcqFGjDY2HgLqITtU9K8Mmn9JFgoCJaji /5I+EvYDJ07CSNchRvO/sp/bpTmXuDXKuLNZroEY0d1EzoYygJQCtocEHE4mwtGVIk6I tPIiS7JOG6xc6WNymkeaYA+GFbGznqBawLjt71iE5ehXa9JzWUhw/xf1SoVQMWv3Q7ew SiTjRehkA25I9Nvp99YH35erjbEMXbMZGrDQ7F0WNcdS8cjunKI2MMFDRKpqcPwnSA+n GSErUhJGN5njCLZjjE3uDcMyPRIo2eRSUrh89T8yxj/kmpvfO3ko3FdDnte9h+9pSfrH lltA== X-Gm-Message-State: AOAM532ixCYceKJfxXkoklZNuVlKuhtLRjVoZK8D1n8sQEtIx9vC00EF TnalsgPPCPvEVzHbevjnfJxGmXag7UeLBJl87zOPkQ== X-Google-Smtp-Source: ABdhPJynE+v+mzwwsz2JPEPQaAT+4fBD16PhIgSTwVjrvmaQ/NUNsxZZrJ8nrc1fHu3fdNctFI07pJiO82gJB435XYo= X-Received: by 2002:a05:6102:364b:: with SMTP id s11mr13420214vsu.49.1624715282591; Sat, 26 Jun 2021 06:48:02 -0700 (PDT) MIME-Version: 1.0 References: <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com> <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com> <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net> <64D2FC1D-E4BA-46E7-A19E-3A7DE35B2096@gmail.com> In-Reply-To: <64D2FC1D-E4BA-46E7-A19E-3A7DE35B2096@gmail.com> Date: Sat, 26 Jun 2021 14:47:49 +0100 Message-ID: To: Rowan Tommins Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted From: Danack@basereality.com (Dan Ackroyd) On Sat, 26 Jun 2021 at 13:47, Rowan Tommins wrote: > the actual bug will almost certainly have happened somewhere else in the > program, and you'll need to trace the data flow of $foo and $bar to find out where. > That depends on what you mean by bug. In particular I don't agree that "The actual root cause is in getColor(),". Whether user-controlled data is dangerous or not depends on where it's used, not where it's coming from. For me, the bug when $up->getColor() changes from returning a literal string to a user supplied value is in this line of code: "
"; Where a programmer has assumed that the value returned by $up->getColor() is a literal string. It's not a bug for that function to return a user controlled value. > so tracking the root cause could be just as difficult. Not as difficult. It would give the exact line of code where the bad assumption was made. literal_concat("
"); When $up->getColor() is changed from returning a literal string to a user controlled one, it would throw an exception. You could look at the exception, see that the 2nd parameter isn't literal and is coming from the getColor method, and know this code isn't safe and needs to be changed to something that can do the appropriate escaping. Even if the origin of the value was more obscure as you suggest, so maybe something like: function getDiv($color) { $div = literal_concat("
"); // ... return $div; } $color = $up->getColor(); $html .= getDiv($color); Although the origin of where the variable comes from wouldn't be in the stacktrace, the error still would be. There is a line of code that has a bad assumption of whether $color is a literal string or not, and it's that line of code that needs to be changed, to use something that understands HTML escaping, in particular how to escape user input for html attribute context. So even when the origin of a value might be hard to understand, the precise line of code that has the bad assumption would be part of the stacktrace, which makes figuring out the problem be a lot easier. That's why it worked for Google. By not having to understand where variables come from, but only having the error be where there are used inappropriately, you completely get rid of the "having to understand a large chunk of code" problem, and instead only have to consider where the variables are being used, and in what context they are being used. cheers Dan Ack