Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:32646
Return-Path: <laurent@jelix.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29499 invoked by uid 1010); 5 Oct 2007 11:31:25 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 29483 invoked from network); 5 Oct 2007 11:31:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Oct 2007 11:31:24 -0000
Received: from [127.0.0.1] ([127.0.0.1:12033])
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM
	id EB/45-31274-C8026074 for <internals@lists.php.net>; Fri, 05 Oct 2007 07:31:24 -0400
X-Host-Fingerprint: 80.118.184.70 zeus.disruptive-innovations.fr  
Received: from [80.118.184.70] ([80.118.184.70:9358] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BC/10-31274-C5D06074 for <internals@lists.php.net>; Fri, 05 Oct 2007 06:09:32 -0400
Message-ID: <BC.10.31274.C5D06074@pb1.pair.com>
To: internals@lists.php.net
Date: Fri, 05 Oct 2007 12:09:28 +0200
User-Agent: Thunderbird 1.5.0.13 (X11/20070809)
MIME-Version: 1.0
References: <20071003003533.EAE341F3E99@spike.porcupine.org>
In-Reply-To: <20071003003533.EAE341F3E99@spike.porcupine.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 80.118.184.70
Subject: Re: PHP taint support: first results
From: laurent@jelix.org (laurent jouanneau)

(Wietse Venema) wrote:
> To give an idea of the functionality, consider the following program
> with an obvious HTML injection bug:
> 
>     <?php
>     $username = $_GET['username'];
>     echo "Welcome back, $username\n";
>     ?>
> 
> With default .ini settings, this program does exactly what the
> programmer wrote: it echos the contents of the username request
> attribute, including all the malicious HTML code that an attacker
> may have supplied along with it.
> 
> When I change one .ini setting:
> 
>     taint_error_level = E_WARNING
> 
> the program produces the same output, but it also produces a warning:
> 
>     Warning: echo(): Argument contains data that is not converted
>     with htmlspecialchars() or htmlentities() in /path/to/script
>     on line 3

A PHP application doesn't always generate HTML : it can generate JSON, 
CSV, PDF etc.. In this case, we don't have to call htmlspecialchars etc..

Is this warning appearing also when you want to output datas other than 
HTML ? If no, how your code guess the output type ? If yes, how can we 
disable this warning in pages which produce JSON etc. ?

Laurent

---
http://jelix.org