Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27019 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37369 invoked by uid 1010); 16 Dec 2006 01:07:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 37354 invoked from network); 16 Dec 2006 01:07:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2006 01:07:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:2625] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/F9-10210-DB643854 for ; Fri, 15 Dec 2006 20:07:09 -0500 Received: (qmail 11253 invoked by uid 98); 16 Dec 2006 01:07:11 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-1.25 (clamdscan: 0.88.7/2336. Clear:RC:1(127.0.0.1):. Processed in 0.126305 secs); 16 Dec 2006 01:07:11 -0000 X-Qmail-Scanner-Mail-From: ceo@l-i-e.com via o2.hostbaby.com X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 0.126305 secs) Received: from unknown (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 16 Dec 2006 01:07:11 -0000 Received: from 216.230.84.67 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Fri, 15 Dec 2006 19:07:11 -0600 (CST) Message-ID: <2622.216.230.84.67.1166231231.squirrel@www.l-i-e.com> In-Reply-To: <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <45832B9B.2080109@zend.com> <8BC86061-CCC5-45C3-8C40-92B06ADBB117@prohost.org> <45832F71.2080503@zend.com> <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> Date: Fri, 15 Dec 2006 19:07:11 -0600 (CST) To: "Ilia Alshanetsky" Cc: "Stanislav Malyshev" , "PHP internals" , "Wietse Venema" Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] Run-time taint support proposal From: ceo@l-i-e.com ("Richard Lynch") On Fri, December 15, 2006 5:43 pm, Ilia Alshanetsky wrote: > Consider E_NOTICE, it is a superb tool for finding out things like un- > declared variables (which often cause all manner of exploits), and > yet most developers keep it off because it gets in a way, even though > it has 0 false positives. First, a nitpik: pg_fetch_row() for a long time gave a false positive (imho) about seeking past the end of the result set. To this day I type @pg_fetch_row() as a matter of course, even though I think this maybe got fixed... :-) REAL CONTENT: I think that "taint" might be useful to some developers. Perhaps it would be best to review the proposed changes for performance effects, and see how much difference it really makes to add a bit-flag to every zval, and what other effects taint has with it turned OFF. The penalties for turning it ON in performance are a non-issue, I should think. If Wietse has a working prototype patch to do it, shouldn't we (an editorial we, there) at least give it a test spin? -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?