Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27092 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64653 invoked by uid 1010); 19 Dec 2006 10:30:44 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 64638 invoked from network); 19 Dec 2006 10:30:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Dec 2006 10:30:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 194.73.73.212 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 194.73.73.212 c2bthomr04.btconnect.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [194.73.73.212] ([194.73.73.212:5015] helo=c2bthomr04.btconnect.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C6/A5-28369-E0FB7854 for ; Tue, 19 Dec 2006 05:30:09 -0500 Received: from [127.0.0.1] (host81-138-11-136.in-addr.btopenworld.com [81.138.11.136]) by c2bthomr04.btconnect.com (MOS 3.7.4b-GA) with ESMTP id GJG20764; Tue, 19 Dec 2006 10:23:47 GMT Message-ID: <4587BF0B.1040808@lsces.co.uk> Date: Tue, 19 Dec 2006 10:29:31 +0000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.7) Gecko/20060910 SeaMonkey/1.0.5 MIME-Version: 1.0 To: PHP internals References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <45832B9B.2080109@zend.com> <8BC86061-CCC5-45C3-8C40-92B06ADBB117@prohost.org> <45832F71.2080503@zend.com> <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> <4583375C.5060302@zend.com> <2F093E93-7021-4C0F-A391-A99CBF080596@prohost.org> <45833C93.4020909@zend.com> <87774C2D-1959-459A-B892-F2F6F6A5C676@prohost.org> <45835ABE.5040909@zend.com> <6526D55D-DC87-40D4-8335-CCB0FA810646@prohost.org> <45846491.6020101@zend.com> <7FD783B9-68A7-4EC7-B6C3-8DBC44A51597@prohost.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Run-time taint support proposal From: lester@lsces.co.uk (Lester Caine) Zeev Suraski wrote: > As such, I would consider: > - Saying tainting should not be enabled in production (avoid the false > sense of security people might have if they turn on tainting in > production). > - Not necessarily the fastest possible implementation, since it'd be > used for development purposes only. > - Consider making this a compile time option with significant overhead > and a big DO NOT ENABLE IN PRODUCTION, so that people have an even > clearer idea they shouldn't rely on it to find their bugs, and that in > fact it's just a helper tool, not unlike a strong IDE. > > We could possibly even come up with a new name other than tainting so > that there is not prior perception as to what this feature is supposed > or not supposed to do. Now that puts my own concern into the right light! IPS's should never be running it? -- Lester Caine - G8HFL ----------------------------- L.S.Caine Electronic Services - http://home.lsces.co.uk Model Engineers Digital Workshop - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php