Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:31503 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25492 invoked by uid 1010); 9 Aug 2007 22:44:01 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 25477 invoked from network); 9 Aug 2007 22:44:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Aug 2007 22:44:01 -0000 Authentication-Results: pb1.pair.com header.from=wietse@porcupine.org; sender-id=unknown; domainkeys=good Authentication-Results: pb1.pair.com smtp.mail=wietse@porcupine.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain porcupine.org from 168.100.189.2 cause and error) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: wietse@porcupine.org X-Host-Fingerprint: 168.100.189.2 spike.porcupine.org FreeBSD 2.0-4.2 Received: from [168.100.189.2] ([168.100.189.2:3165] helo=spike.porcupine.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E1/C0-17916-FA89BB64 for ; Thu, 09 Aug 2007 18:44:00 -0400 Received: by spike.porcupine.org (Postfix, from userid 1001) id 3CCFE1F3EA6; Thu, 9 Aug 2007 18:43:57 -0400 (EDT) DKIM-Signature: v=0.5; a=rsa-sha256; c=simple/simple; d=porcupine.org; s=dktest; t=135602432; bh=m1snonYS5jIzOlQRSex4omj88FRZZZ4LeT4sqpzCN nw=; h=DomainKey-Signature:Subject:To:Date:X-Time-Zone:X-Mailer: MIME-Version:Content-Transfer-Encoding:Content-Type:Message-Id: From; b=QrW8CcBwKf1Y6atgLNDd6H8+P2yVRY3ZhEi3YPF7a3f/znAZyTikrJcV0q v+gwt7SOA0JSTpx7jDZx5vJ+jeUYXXwz0c5ADqbleJEZYGmRCo1PxIgdqbw/yTooY0a OPfH7RC5Ri9UQU9bGldi8fhNeITeM3aa8sVZCRXvTN3oZg= DomainKey-Signature: a=rsa-sha1; s=dktest; d=porcupine.org; c=simple; q=dns; h=subject:to:date:x-time-zone:x-mailer:mime-version: content-transfer-encoding:content-type:message-id:from; b=GUakg0wpF7PHcTyAPL/XXU3iSRr9qWUs+zGrTmDs/79Tj8OOm5VQzVFcfoaW3MUKh Gibe7qOAMAq7bNZ7YvUauPkvrgmfY9o6WQQgQpMWfHpHeubzKAwBtPwaYkU500sY3QY vpU0vWLdSe1prteOecCLL4ZJbFFtwaBRLyrtYCc= To: internals@lists.php.net Date: Thu, 9 Aug 2007 18:43:57 -0400 (EDT) X-Time-Zone: USA EST, 6 hours behind central European time X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-ID: <20070809224357.3CCFE1F3EA6@spike.porcupine.org> Subject: PHP-taint update From: wietse@porcupine.org ((Wietse Venema)) Late last year I started a discussion on this list with a proposal to add Perl/Ruby-like taint support to PHP - a feature that a developer may turn on to find out where to insert explicit cleaning operations to avoid code injection etc. vulnerabilities. With applications that are explicitly written to be taint ware, taint support may also help at run-time as an additional safety net. In the unavoidable trade-off between performance and developer impact, this approach minimizes the performance hit; the developer provides the explicit cleaning operations. Other taint-for-PHP approaches make a different trade-off; they typically avoid developer impact altogether, but come at the cost of a larger performance hit. After a bunch of other work that needed to be done I've resumed work on PHP and I'm currently working on a rough prototype that supports taint in the core and in a bunch of standard built-ins. Overhead is minimal because it's just setting and testing a few normally unused bits in the zval structure. I expect to get some actual performance data once the implementation is complete enough, and to have a first implementation out the door sometime in September. Wietse