Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33245
Return-Path: <stefan.esser@sektioneins.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63097 invoked by uid 1010); 18 Nov 2007 10:51:58 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 63082 invoked from network); 18 Nov 2007 10:51:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2007 10:51:58 -0000
Authentication-Results: pb1.pair.com header.from=stefan.esser@sektioneins.de; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=stefan.esser@sektioneins.de; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain sektioneins.de from 81.169.159.221 cause and error)
X-PHP-List-Original-Sender: stefan.esser@sektioneins.de
X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6
Received: from [81.169.159.221] ([81.169.159.221:57196] helo=mail.hardened-php.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E2/B2-41436-C4910474 for <internals@lists.php.net>; Sun, 18 Nov 2007 05:51:57 -0500
Received: from [127.0.0.1] (p50876CC9.dip.t-dialin.net [80.135.108.201])
	by mail.hardened-php.net (Postfix) with ESMTP id 9F5041200B1
	for <internals@lists.php.net>; Sun, 18 Nov 2007 10:06:03 +0100 (CET)
Message-ID: <47401946.2050406@sektioneins.de>
Date: Sun, 18 Nov 2007 11:51:50 +0100
Organization: SektionEins
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: Tainted Mode Decision
From: stefan.esser@sektioneins.de (Stefan Esser)

Good Morning,

I just wanted to ask if there was ever a decision made that said tainted
mode will go into PHP mainstream.

Currently there are two implementations available:

GRASP by Coresecurity
* pro: byte level tainting which actually works
* negativ: slow

PHP Taint mode by Wietse Venema/IBM
* pro: faster
* negativ: broken design+insecure

It is no secret that I don't like the idea of a taint mode in PHP
because it cannot be made secure and fast at the same time.
Coresecurity's GRASP is the best example for this it uses a secure
design and is therefore slow. On the other hand it
seems some people want the fast implementation of Wietse in the core
which would be bad, because it is based on
wrong assumptions and uses an insecure design that does only give a
false sense of security.

Examples for the wrong assumptions in PHP Taintmode:
1) _SERVER['PHP_SELF'] is not safe and allows XSS (and more) in many
applications
2) Using mysql_real_escape_string() on user input does not make it safe
for SQL. It only makes SQL strings safe.
Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)  
is NOT secure but will result in no taint warning
3) Using htmlentities() on usr input does not make it safe for HTML
output. It only makes it safe in some situations.
Example:  echo '....<sometag  style="some-attribute:
',htmlentities($user_input),'">'. Will allow XSS through the style
attribute without a taint warning
Example2:  echo '....<img src="',htmlentities($user_input),'">'. Will
allow XSS through javascript: URL (f.e. in Opera) without a taint warning


Yours,
Stefan Esser