Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115459
Return-Path: <jordan.ledoux@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64762 invoked from network); 18 Jul 2021 02:17:07 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 Jul 2021 02:17:07 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4E10A1804DA
	for <internals@lists.php.net>; Sat, 17 Jul 2021 19:41:45 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <jordan.ledoux@gmail.com>
Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com [209.85.208.178])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 17 Jul 2021 19:41:44 -0700 (PDT)
Received: by mail-lj1-f178.google.com with SMTP id s17so9341486ljo.12
        for <internals@lists.php.net>; Sat, 17 Jul 2021 19:41:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8CgoexNdKhD1BQEkBfmyBXkb7sTcEM/RJMB4sg395os=;
        b=X93ZUjJqnY/klijE+6e0VHSuEnreP/ZTdffN47QFxieToUKqKBYgMSj67fcTc6+sJv
         ZiUWe+tcgL4M+JI4oVEWCpc/lCSas5Rms9CQG1hZiEj5uPUczdUXflKDn0tgHH/WkOQ1
         MxcB+efHeE6laKlp6HeB56njRnoJHjSbnCWrMut7oHWRbYIGzuXnjo00u1DP3eUdHoqP
         8/XHRQJyWMvaFud2wtfWTXB4u8VA4hsvfERGoSkBh3WC7LWi7jcy9Q6NSDe75SaEmDO/
         oUjh6zMVXZrMk+4DTIcZKOatDAS1k/9bPzL1qAvOTS7oGi4JU5Td2V1IkSSBOesSYqKn
         JStA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8CgoexNdKhD1BQEkBfmyBXkb7sTcEM/RJMB4sg395os=;
        b=gjBPdQRfY/SAE+8V0x+U7iRIVjdN2osCLNaQcFQKSsbxatW8apbhcKB5fcKT9JkD2S
         mu+P2vdw0UBNk7u0qP+nshUZVv+zjnDZ6ECamQbbszNRz1z7Dd2YJq0Ngl7MiyL0HPVo
         3L+dZO8hOFZrDdMi12HHbQj3YHeerFRoYHToregDnI0fsUJh0trzw88JcXKYR7C5+2pQ
         BG8jKmsi0t96jUvQN1HWvX4e+YEQ2bfykzSGEBSz2wwoZHZCW9Lw17fSTn0Y2BIwm2W8
         biAC4XgVGbpbEx0/xuEBfvTKfzJz5cHESM+vGZdbftLKauCFjBZ/ApRLji6C1/Twh7rH
         MuhA==
X-Gm-Message-State: AOAM532FAgIwLnMe/ZZ6GMUVsF8od0IRuu8BuYTHggboC/aOakjIGIKW
	wWGvZdseclkM+VB8zkB6++CdRuRm+Klm/Y/gqwo=
X-Google-Smtp-Source: ABdhPJwUnPnSU/gEUEAuoKDxSWIqX2jMfr2YZDobxKj1+K2CTV7/gn7p8QoJQmJVumvZM7cd+HS/QeMGD8CcT8pdJ7I=
X-Received: by 2002:a2e:9b90:: with SMTP id z16mr16351507lji.444.1626576101887;
 Sat, 17 Jul 2021 19:41:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CADyq6s+eu4bLM3Z+28Vd0BoGzdbXRyG2Hw9OXqQtyok32p1CJQ@mail.gmail.com> <CAFv4g+H2Eec0SXif3=0nP4wwEaXzggTEPxJjm7fmuwQCR3CFFw@mail.gmail.com>
In-Reply-To: <CAFv4g+H2Eec0SXif3=0nP4wwEaXzggTEPxJjm7fmuwQCR3CFFw@mail.gmail.com>
Date: Sat, 17 Jul 2021 19:41:32 -0700
Message-ID: <CAMrTa2GVpugjj71tcQO8oJgMyf7A_naHbrakjRWj92oKkAJQOw@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: Marco Pivetta <ocramius@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000c0d3ad05c75cc224"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: jordan.ledoux@gmail.com (Jordan LeDoux)

--000000000000c0d3ad05c75cc224
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Related to the general topic of injection attacks, I was considering
submitting a PR to change the default of PDO::ATTR_EMULUATE_PREPARES to
FALSE, since this mistakenly can lead people to believe that using prepared
statements with PDO and MySQL protects against injection attacks. In fact,
this is only the case if they create the PDO object with the option
specified as false. I'm not aware however to reasoning for enabling prepare
emulation by default for MySQL. I would assume it's a performance choice,
but how long ago was this choice made and is it worth revisiting? Would
this be something that requires its own RFC? It's a single line change.

Jordan

On Sat, Jul 17, 2021 at 9:48 AM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> On Sat, 17 Jul 2021 at 4:05 pm, Marco Pivetta <ocramius@gmail.com> wrote:
>
> > my belief is that this is not a runtime problem, but rather a type-leve=
l
> > issue with tainted/untainted input/output.
> >
>
>
> Thank you for the feedback Marco,
>
> As you appreciate, I don=E2=80=99t believe we can get every PHP developer=
 to use
> Static Analysis. It=E2=80=99s an extra step that developers with less tim=
e, energy,
> or care, will not setup and use.
>
> Putting something in the base language, means that libraries can just use
> it, and people using the sites/systems of rushed or lazier developers wil=
l
> have these checks helping keep their data secure. Data breeches can have
> life-changing consequences for people, Injection Vulnerabilities are one =
of
> the biggest causes of them, and since we have the ability for libraries t=
o
> warn all developers about these mistake, we should.
>
> At the moment our house can catch on fire and we don=E2=80=99t even have =
a smoke
> alarm. This is the smoke alarm. And there are reasons why it=E2=80=99s bu=
ilders and
> landlords that have to install them, and we don=E2=80=99t rely on the ten=
ants going
> and sorting them out themselves. Because if they don=E2=80=99t, for the b=
est or the
> worse reasons, either way there are severe consequences to everybody.
>
> In regards to Taint Checking, it has a significant problem as it creates =
a
> false sense of security, hence these examples in the RFC:
>
> $sql =3D 'SELECT * FROM users WHERE id =3D ' . $db->real_escape_string($i=
d); //
> INSECURE
>
> $html =3D "<img src=3D" . htmlentities($url) . " alt=3D'' />"; // INSECUR=
E
>
> $html =3D "<a href=3D'" . htmlentities($url) . "'>..."; // INSECURE
>
> Fortunately Psalm has just implemented the is_literal() concept, so those
> developers who do use Psalm can protect themselves from these issues:
>
> https://github.com/vimeo/psalm/releases/tag/4.8.0
>
>
>
> In addition to that, a mechanism to un-taint values is missing,
> >
>
>
> That=E2=80=99s the main flaw with Taint Checking, because it=E2=80=99s no=
t possible to mark
> something as safe without knowing about the context. As in, developers us=
e
> an escaping function (to mark as untainted), think the value is now =E2=
=80=9Csafe=E2=80=9D,
> and incorrectly use that value in a way that causes a security
> vulnerability.
>
> is_literal() simplifies this problem considerably, by just identifying
> developer defined strings, and instead using libraries to handle user
> values.
>
> Craig
>

--000000000000c0d3ad05c75cc224--