Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115425
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84931 invoked from network); 14 Jul 2021 14:29:13 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Jul 2021 14:29:13 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D0F7A1804C4
	for <internals@lists.php.net>; Wed, 14 Jul 2021 07:52:56 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Jul 2021 07:52:56 -0700 (PDT)
Received: by mail-lj1-f173.google.com with SMTP id y7so3409076ljm.1
        for <internals@lists.php.net>; Wed, 14 Jul 2021 07:52:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=0NeGUUI7+4S9XiuIPnWZb7xkjjwaB403APe/WKALLSk=;
        b=UWsv2UQOctJFH3MsUKYZJYC5qlyVPVYdxrSOiCkVeTCJII5va3dfaBgo/SbMIwGAb/
         ++635If5vCHUui4Ctl+QvNCYvmk/Sgk4wNGGYkpVRzKq/54KDjp3Wgl2TEXLByz5bzyZ
         t3lSY8F6jesMZmMl4Lcl3VIlAQ3jZW9Yxy9bQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=0NeGUUI7+4S9XiuIPnWZb7xkjjwaB403APe/WKALLSk=;
        b=GODKRVLPpO0BbMJNZFCkUvzDScLoair/KgCcepzfDpfLEAYLbiMXhsmh/2I+uXNJ8A
         DKr5328Naj3PRNw6nqQ/Mto8eKuGv7i7/KQn4AzjutajQwJGwHoVZJkGyRY9E2ettV1f
         GoQ0itZc/6+kLCDv0UWFvDSBzEQLMRPxvPWLiqNWagTwvE/UkKYwmfJnTAJIHmrR+F9s
         4DlsiXkOw5zp47UzbOGmh5AwhhVeiG5ArXOCnkTQ2bD3clWjBzwwp9LuvRAUAsHaVwRx
         atuO6DQs4XtfRPSAwmV5sN/5HoWi6UyGwNVK3XVDV98uz6MkidyFCTuxtXPq8Kdv0UT3
         K8lQ==
X-Gm-Message-State: AOAM533zpEY3gzPDg0Lw5j8rft7On2CvXIj+dBsTMR9wpE7saoxCBkug
	PdtTzwOR2pPZ7dmjThVN5X9XK7+hQIqrmOKfiDrsJs+2lHPMd/Db
X-Google-Smtp-Source: ABdhPJw9Yk2tdnm9uvrrbPoV5iAPKvY/JY9EgZWKv96rCER9DuQQ3WOmJmz+MmI0CKWbU2s6+OMi64z/1H19DFBdmkU=
X-Received: by 2002:a2e:9241:: with SMTP id v1mr9369466ljg.48.1626274371795;
 Wed, 14 Jul 2021 07:52:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
In-Reply-To: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
Date: Wed, 14 Jul 2021 15:52:40 +0100
Message-ID: <CAFv4g+ErRYaGJKJRJm9qYvCMQzUgbJE_hYfhTn6CtSeZ9SKxNw@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000003d109105c71682a5"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--0000000000003d109105c71682a5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Injection Vulnerabilities remain at the top of the OWASP "Top 10 Web
Application Security Risks".

It=E2=80=99s important to remember that Injection Vulnerabilities don't jus=
t affect
the developer, but rather the data of potentially thousands of people using
the website/system.

These can even occur when using libraries. Take this example from CakePHP,
where the developer has dangerously included user data into the SQL:

  $users->find()->where(['age >=3D ' . $_GET['age']]);

By distinguishing strings from a trusted developer, from strings that may
be attacker controlled, libraries can ensure values that go directly into
the SQL, HTML, CLI, etc have not been "Injected" with user data.

PHP is now lagging behind other languages, where Java and Go can already
test for developer defined strings (it's also being implemented in
JavaScript).

is_literal() is a simple and minor change that simply utilises a currently
unused flag on strings to mark whether the string was written by the
developer. It requires no rewriting of code by the developer to work, no
grand visionary overhaul of the PHP language, with only a 0.43% difference
in speed that is too small to measure with normal internet/database
variability. It=E2=80=99s just a basic but effective way of being able to w=
arn
about and locate Injection Vulnerabilities (and therefore providing a way
for libraries to directly educate developers).

The vote for this RFC ends on Monday the 19th of July, 7:30pm UK time and
6:30pm UTC, and needs your support.
https://wiki.php.net/rfc/is_literal

The following link provides more examples of these mistakes, based on code
I=E2=80=99ve found on production servers. They show how similar they are to=
 the
examples found in the libraries official documentation, and how easy it is
for a developer to make a small tweak that ends up being very dangerous:
https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/=
mistakes.php

I have created 3 example libraries you can experiment with, to see what
is_literal() can do:
https://github.com/craigfrancis/php-is-literal-rfc/tree/main/examples

I'm happy to take questions on and off list.

Vote ends on Monday the 19th of July, 7:30pm UK time and 6:30pm UTC.
https://wiki.php.net/rfc/is_literal

Thanks,
Craig

>

--0000000000003d109105c71682a5--