Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33008
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain porcupine.org from 168.100.189.2 cause and error)
DomainKey-Status: good
DomainKey-Signature: a=rsa-sha1; s=dktest; d=porcupine.org; c=simple; q=dns;
	h=subject:to:date:x-time-zone:x-mailer:mime-version:
	content-transfer-encoding:content-type:message-id:from;
	b=Ual3pcJ7V2R1kMISC/tqZrrdwL38n5hbp6zApZivma1p66ux7Ik9yh4C8hhA6bba0
	f6G/3gRsuUuYFp2l27cYiypivrPNK52Pvjcq8YLEaM5XsGZG/0+3W+VbDqPViNQsQFb
	nVGldc79aW3VhHnM464XIXPMvpeUqd/eubeShBU=
To: internals@lists.php.net
Date: Fri, 2 Nov 2007 16:44:26 -0400 (EDT)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-ID: <20071102204426.E24E81F3E9A@spike.porcupine.org>
Subject: Preliminary PHP taint support available
From: wietse@porcupine.org ((Wietse Venema))

A preliminary implementation of PHP taint support is available from
ftp://ftp.porcupine.org/pub/php/ This code is released under version
2.00 of the Zend license.

Below are fragments from the README file. For the full text please see
ftp://ftp.porcupine.org/pub/php/php-5.2.3-taint-20071102.README.html
This file also has information about using taint in real applications,
about run-time performance, and about changes within the PHP core.

Most of all, your feedback is welcome, so that I can make this code
as easy to use and as performant as possible.

	Wietse Venema
	IBM Research

[ Start of README fragments ]

Introduction
============

This is a preliminary implementation of support for tainted variables
in PHP.  The goal is to help PHP application programmers find and
eliminate opportunities for HTML script injection, SQL or shell
code injection, or PHP control hijacking, before other people can
exploit them. The implementation provides taint support for basic
operators and for a selection of built- functions and extensions.
A list of what is implemented sofar is at the end of this document.

The good news is that performance is better than I hoped it would
be. However, the implementation is incomplete, so please don't be
surprised when something is still missing. For example, I have not
yet implemented taint support for object-specific operations, and
taint checks assume that output has a Content-Type: of text/html.
It also does not yet fully adhere to coding and documentation
conventions. All this needs to be taken care of in future releases.

I need your feedback to make this code complete. I hope to do
several quick 1-2 month release cycles in which I collect feedback,
fill in missing things, and adjust course until things stabilize.
Right now the code is based on PHP 5.2.3, but I expect to catch up
with the current PHP release next time.

A quick example
===============

To give an idea of the functionality, consider this simple PHP
program with an obvious HTML script injection bug:

    <?php
    $inputfield = $_GET['inputfield'];
    echo "You entered: $inputfield\n";
    ?>

With default .ini settings, this program does exactly what the
programmer wrote: it echos the contents of the client's inputfield
request attribute, including all the HTML script code that an
attacker may have supplied along with it.

When I add one setting to a php.ini file, or the equivalent ini_set()
call to the script itself, the program still produces the same
output, but it also produces a warning:

    Add to php.ini: taint_error_level = E_WARNING
    Add to script:  ini_set("taint_error_level", E_WARNING);

    Warning: echo(): Argument contains data that is not converted with
    htmlspecialchars() or htmlentities() in /path/to/script on line 3

When I change the taint error level from E_WARNING into E_ERROR,
script execution terminates before echo produces any output.

Introducing multiple flavors of taint
=====================================

Conversion functions such as htmlspecialchars() exist not only for
boring security reasons! They are also required for robustness.
Without the proper output conversion, shell or SQL commands fail
when given a legitimate name such as O'Reilly. Bugs like this are
easily overlooked, because they trigger only with unusual data.
However, these bugs are trivial to find with taint support, because
you get the "missing conversion" warning message even when you test
the program with ordinary data. This point is worth repeating, so
I will repeat it now:

    With taint support, you don't need malicious inputs to find
    out where a PHP script may have opportunities for HTML script
    injection, shell or SQL code injection, or PHP control hijacking.

To encourage programmers to use the RIGHT conversion function, I
have implemented multiple flavors of taint. Each time data enters
a PHP application from the web, from database or from elsewhere,
it may be "tainted" with zero or more taint flavors, so that the
PHP engine can warn the programmer and suggest an appropriate
conversion function.

[ End of README fragments ]

Please see the complete README file for the unabridged text, including
information on the other topics:

  * Using taint support with real PHP applications
  * Performance
  * Low-level implementation
  * Taint propagation policy
  * PHP core changes
  * Loose ends
  * Distant future
  * Feature summary

The complete README file and source code are available from
ftp://ftp.porcupine.org/pub/php/