Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26993
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96015 invoked by uid 1010); 15 Dec 2006 23:12:08 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 96000 invoked from network); 15 Dec 2006 23:12:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Dec 2006 23:12:07 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from [212.25.124.162] ([212.25.124.162:8301] helo=mail.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E6/E2-10210-3AB23854 for <internals@lists.php.net>; Fri, 15 Dec 2006 18:12:07 -0500
Received: (qmail 28510 invoked from network); 15 Dec 2006 23:09:59 -0000
Received: from office.zend.office (HELO ?127.0.0.1?) (192.168.16.109)
  by internal.zend.office with SMTP; 15 Dec 2006 23:09:59 -0000
Message-ID: <45832B9B.2080109@zend.com>
Date: Fri, 15 Dec 2006 15:11:23 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Ilia Alshanetsky <ilia@prohost.org>
CC: Wietse Venema <wietse@porcupine.org>, 
 PHP internals <internals@lists.php.net>
References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <EED341E1-CC7E-4573-BF76-1EE50B01C7A1@prohost.org>
In-Reply-To: <EED341E1-CC7E-4573-BF76-1EE50B01C7A1@prohost.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Run-time taint support proposal
From: stas@zend.com (Stanislav Malyshev)

> All it means is extra work for developers with little or no tangible 
> benefits. I also wonder how taint will work with the standard remove/add 

Security is benefit. Of course, the developers that are sure they write 
secure code anyway need not be bothered by tainting and can leave it off 
forever.

> The job of a language is to provide tools, not arbitrary crippling 
> limitation under the guise of security improvement.

I agree. Tainting is one of such tools, aimed at improving security.

> safe_mode sounded like a really reasonable idea too, I would've hoped 
> some lessons from past mistakes could be made.

I do not see what exactly you propose to learn from safe mode mistakes - 
that we should never try to improve PHP security by providing language 
level tools? I do not see how this can be derived from whatever was 
wrong with safe mode. It may be that the tainting would not catch but I 
do not think safe mode problems should prevent us from even trying.
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/