Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33009
Return-Path: <nlopess@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59536 invoked by uid 1010); 2 Nov 2007 22:34:36 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 59521 invoked from network); 2 Nov 2007 22:34:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Nov 2007 22:34:35 -0000
Authentication-Results: pb1.pair.com header.from=nlopess@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=nlopess@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 212.55.154.23 as permitted sender)
X-PHP-List-Original-Sender: nlopess@php.net
X-Host-Fingerprint: 212.55.154.23 relay3.ptmail.sapo.pt Linux 2.4/2.6
Received: from [212.55.154.23] ([212.55.154.23:49308] helo=sapo.pt)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 46/8D-24931-AF5AB274 for <internals@lists.php.net>; Fri, 02 Nov 2007 17:34:35 -0500
Received: (qmail 31776 invoked from network); 2 Nov 2007 22:34:31 -0000
Received: from unknown (HELO sapo.pt) (10.134.35.208)
  by relay3 with SMTP; 2 Nov 2007 22:34:31 -0000
Received: (qmail 8637 invoked from network); 2 Nov 2007 22:34:31 -0000
X-AntiVirus: PTMail-AV 0.3-0.91.1
X-Virus-Status: Clean (0.00661 seconds)
Received: from unknown (HELO pc07653) (nunoplopes@sapo.pt@[82.155.79.142])
          (envelope-sender <nlopess@php.net>)
          by mta13 (qmail-ldap-1.03) with SMTP
          for <internals@lists.php.net>; 2 Nov 2007 22:34:31 -0000
Message-ID: <005b01c81da0$5f592630$4101a8c0@pc07653>
To: <internals@lists.php.net>,
	"Wietse Venema" <wietse@porcupine.org>
References: <20071102204426.E24E81F3E9A@spike.porcupine.org>
Date: Fri, 2 Nov 2007 22:33:20 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Subject: Re: [PHP-DEV] Preliminary PHP taint support available
From: nlopess@php.net ("Nuno Lopes")

Hi,

It sounds cool, indeed.
The obvious question now is: how it performs with real-world applications? 
Have you been able to identify security bugs (either new or already known)?
I don't have time to perform these tests myself, but I would love to see 
some results.

Regards,
Nuno


----- Original Message ----- 
From: "Wietse Venema" <wietse@porcupine.org>
To: <internals@lists.php.net>
Sent: Friday, November 02, 2007 8:44 PM
Subject: [PHP-DEV] Preliminary PHP taint support available


>A preliminary implementation of PHP taint support is available from
> ftp://ftp.porcupine.org/pub/php/ This code is released under version
> 2.00 of the Zend license.
>
> Below are fragments from the README file. For the full text please see
> ftp://ftp.porcupine.org/pub/php/php-5.2.3-taint-20071102.README.html
> This file also has information about using taint in real applications,
> about run-time performance, and about changes within the PHP core.
>
> Most of all, your feedback is welcome, so that I can make this code
> as easy to use and as performant as possible.
>
> Wietse Venema
> IBM Research