Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33255
Return-Path: <steph@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59936 invoked by uid 1010); 18 Nov 2007 19:44:27 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 59920 invoked from network); 18 Nov 2007 19:44:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2007 19:44:27 -0000
Authentication-Results: pb1.pair.com header.from=steph@zend.com; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=steph@zend.com; spf=permerror; sender-id=softfail
Received-SPF: error (pb1.pair.com: domain zend.com from 64.97.136.166 cause and error)
X-PHP-List-Original-Sender: steph@zend.com
X-Host-Fingerprint: 64.97.136.166 smtpout0166.sc1.he.tucows.com Solaris 8 (1)
Received: from [64.97.136.166] ([64.97.136.166:65139] helo=n064.sc1.he.tucows.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 40/83-21972-71690474 for <internals@lists.php.net>; Sun, 18 Nov 2007 14:44:27 -0500
Received: from sc1-out05.emaildefenseservice.com (64.97.139.2) by n064.sc1.he.tucows.com (7.2.069.1)
        id 47030C3D0039DB0C; Sun, 18 Nov 2007 19:44:11 +0000
X-SpamScore: 2
X-Spamcatcher-Summary: 2,0,0,2d0f2d243e76317f,c95920bfdc709d21,steph@zend.com,-,RULES_HIT:355:379:539:540:541:542:543:567:599:601:945:960:982:988:989:1155:1156:1260:1277:1311:1313:1314:1345:1432:1437:1515:1516:1518:1534:1541:1587:1593:1594:1711:1730:1747:1766:1792:2073:2075:2078:2194:2199:2393:2559:2562:2691:2693:2828:2894:3027:3354:3622:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:4250:5007:6117:6119:6261:7653,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,Do
	mainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none
X-Spamcatcher-Explanation: 
Received: from foxbox (80-195-223-230.cable.ubr07.shef.blueyonder.co.uk [80.195.223.230])
	(Authenticated sender: steph.fox)
	by sc1-out05.emaildefenseservice.com (Postfix) with ESMTP;
	Sun, 18 Nov 2007 19:44:10 +0000 (UTC)
Message-ID: <002801c82a1b$7a7c4ff0$e6dfc350@foxbox>
Reply-To: "Steph Fox" <steph@zend.com>
To: "Stefan Esser" <stefan.esser@sektioneins.de>
Cc: "internals" <internals@lists.php.net>
References: <47401946.2050406@sektioneins.de>
Date: Sun, 18 Nov 2007 19:44:46 -0000
Organization: Zend Technologies
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="ISO-8859-15";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: steph@zend.com ("Steph Fox")

Hi Stefan,

> I just wanted to ask if there was ever a decision made that said tainted
> mode will go into PHP mainstream.

No decision as such - I believe Wietse is doing his best to find out exactly 
how viable it is, no?

> it seems some people want the fast implementation of Wietse in the core
> which would be bad, because it is based on
> wrong assumptions and uses an insecure design that does only give a
> false sense of security.

In a preliminary release for feedback purposes you talk about wrong 
assumptions? Surely this is the whole point of having a preliminary release 
for feedback :)

> Examples for the wrong assumptions in PHP Taintmode:
> 1) _SERVER['PHP_SELF'] is not safe and allows XSS (and more) in many
> applications
> 2) Using mysql_real_escape_string() on user input does not make it safe
> for SQL. It only makes SQL strings safe.
> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
> is NOT secure but will result in no taint warning
> 3) Using htmlentities() on usr input does not make it safe for HTML
> output. It only makes it safe in some situations.
> Example:  echo '....<sometag  style="some-attribute:
> ',htmlentities($user_input),'">'. Will allow XSS through the style
> attribute without a taint warning
> Example2:  echo '....<img src="',htmlentities($user_input),'">'. Will
> allow XSS through javascript: URL (f.e. in Opera) without a taint warning

Now, yes. Since these are all things that 'every fule know', isn't it more 
than likely that they'll be addressed before taint mode ever sees the light 
of day?

I think it's probably worth giving Wietse as much help as you can at this 
stage to make it better, since the thing's fast and since you know where to 
find the problem areas better than anyone. That said - I don't know if it's 
possible to have an extension/hooks approach without losing speed, but if it 
_is_ I'd personally vote for taking that approach.

- Steph