Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115386
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32059 invoked from network); 11 Jul 2021 16:37:24 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 11 Jul 2021 16:37:24 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 6DB811804C4
	for <internals@lists.php.net>; Sun, 11 Jul 2021 10:00:23 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 11 Jul 2021 10:00:22 -0700 (PDT)
Received: by mail-vs1-f52.google.com with SMTP id g24so8699911vsa.10
        for <internals@lists.php.net>; Sun, 11 Jul 2021 10:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=sZJgvu7+RAFBoVwFHhilpPWqFJXstw32HuMYtNF5UdM=;
        b=tV16SJCUn8Iy6DbaFchDbECmOevr+VEyodis4XsoxnqFA7ef8RlXD9EjWWOFbf0S3k
         QfHmcs1bcWf0ptkcqTTyV4rXhLwNhIHFC8BFdLALL2y8TT46/krScr9vlyr+LcgOrTyr
         Kk3vQAksNfZDUNEpDY3tVStdy4OLclb82xvtyHHZ3iTX44yRLNGxadKbQ7kmkwGU+N/G
         gag+6MSgC17inHvvCdhJlA9P5wW3+r2aGAnXVF7RJJ/gcoXJ821BtmB2mPYOlvXZubul
         6hwVcYWkvRiCagNoDKXY8nTsWvrJ/3wCEDgn3Tg0H4Re3LGERsNJ+Xv5OC36+FSNJ1zO
         Km0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=sZJgvu7+RAFBoVwFHhilpPWqFJXstw32HuMYtNF5UdM=;
        b=eQR4uIyBxVjh7iEU3BIUjo71CtmqaLtc9oEUzo9XgjxUyCvGO6VcdFc6Oisj2fA5rZ
         H2o1cVYf3AvthNBIWWiCoFoN5DoMlxBnEGySlimdW7Ctld7xq63dhmVY/+Wm2+tppJKQ
         s85QrvIHLg8bK19QU2lrvbQE/1/vF84kaBBOLpFvUmQr6IZuTPeB0eu+sbAWRxBVMot7
         xLpX+azLr4sOy3D7kf/woOS/9yv7FSrLn2yX49Zfk/LFb5yWvcLCrPLC+c011O02zUph
         rfGUcONyFPIuUUCxPvR1kQwtU7n/fLpeuvAaOSZFI9CZHvWBt0eQfTB779ChN21q+u9H
         lOJQ==
X-Gm-Message-State: AOAM532Cd3t9zFOJqjKUfFRDuuOGe8LXgD6t73ssypSc2U8dVPd7vlA4
	f042awXJN7ThxE5aRdzWCzUg1bUJh7ObPxUDyRiApQ==
X-Google-Smtp-Source: ABdhPJzqDoPJCD6f6Ul84Bo8zjr4iC325zFH3NRngN1PtbEqHEJSaHHdoRiEdwcK3X8p1Fj6KrNq11UoUgkYSuPyk/I=
X-Received: by 2002:a67:ee84:: with SMTP id n4mr45026012vsp.24.1626022821696;
 Sun, 11 Jul 2021 10:00:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFPFaMJs7qvko=tfBsXuwCqMV3VqXL4TjO2aKWWPjrAicZzM9w@mail.gmail.com> <782e08f6-d6a1-e1e7-b2d6-4706277a4d86@gmail.com>
In-Reply-To: <782e08f6-d6a1-e1e7-b2d6-4706277a4d86@gmail.com>
Date: Sun, 11 Jul 2021 18:00:10 +0100
Message-ID: <CA+kxMuSuqaPq_q8eZy2_pHQNr1zMNjout2f2bZc=ZUZiBx3mPQ@mail.gmail.com>
To: Rowan Tommins <rowan.collins@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: Danack@basereality.com (Dan Ackroyd)

Rowan Tommins <rowan.collins@gmail.com> wrote:

> I still don't follow this reasoning, for the reasons I outlined here:
> ...
> Whether "$foo . $bar" is always non-literal, or non-literal only if one
> of its operands is, you're going to get an error about a non-literal
> string somewhere else in the program, and have to trace back to find
> where the "bad" concatenation happened.


There are two differences. The first is "even if there is a problem,
you at least can find the relevant code".

With string concatenation preserving literal flags, when a problem is
detected, the situation is: "There is a non-literal somewhere in this
chunk of HTML. Good luck finding it in the string, and then figuring
out where it comes from in the code."

With having to jump through the hoop of using a specific function to
preserve the literal flag, the situation is: "This line of code is
wrong. It needs to be changed to use escaping."

To be precise, you wouldn't _have_ to trace back to find where the
non-literal value comes from. At the point where the error is you
would probably just change it to use the appropriate escaping. e.g. if
this line of fails, because the color suddenly becomes a non-literal:

literal_concat("<div style='color: ", $up->getColor(), "'>");

you don't need to figure out where the color is coming from, you can
just change it to use a function that does the appropriate escaping:

html("<div style='color: %s'>", $up->getColor());

In general, any use of literal_concat() where the correctness of it
isn't obvious from reading the code, should probably start a
conversation of "have you considered defaulting to using
escaping/prepared query here"?

# It prevents the problem reaching an end-user.

The solution at Google prevents any security problem from reaching the
end-user by refusing to compile code.

One of the problems with PHP is that it is 'normal' for logs to be
filled with warnings...which means that most people just ignore them.

By allowing security problems to get through, rather than defaulting
to being an error means that they will reach end-users, and the
warning messages will end up in log files, and the process for finding
and fixing them will take more time than people will like.

So instead of defaulting to safe, it will default to being ignorable.
And the whole point (in my understanding) of Chris Kern's talk, is
that you need to make software safe by default.


> What it won't do, is tell you when you've forgotten to use it,

Which is a huge difference.

If you're aware that you're touching a security sensitive bit of code,
you're likely to do the right thing anyway, and so won't need the
crutch of is_literal.

If you're unaware that you're touching a security sensitive bit of
code, you're more likely to accidentally include user input where it
isn't meant to be used.

That means the feature would be annoying for the people who need it most.

Allowing errors to get through to users, for them to be allegedly
fixed at a later date is referred to as "Normalization of deviance"
and isn't a good choice for this RFC, imo.

cheers
Dan
Ack


* problems with static analysis as a solution

** Not everyone runs it, and it would be nicer to allow wordpress et
al to provide this security threat detection rather than hoping users
decided to use static analysis.

** It might require libraries also using the same static analysis annotations.

** It might get quite tricky to implement correctly, in particular for
functions where the literal-ness of the output depends on the
literal-ness of the input.