Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33256
Return-Path: <denials@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64731 invoked by uid 1010); 18 Nov 2007 20:17:16 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 64716 invoked from network); 18 Nov 2007 20:17:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2007 20:17:16 -0000
Authentication-Results: pb1.pair.com header.from=denials@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=denials@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.224 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: denials@gmail.com
X-Host-Fingerprint: 64.233.162.224 nz-out-0506.google.com  
Received: from [64.233.162.224] ([64.233.162.224:56548] helo=nz-out-0506.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B1/14-21972-CCD90474 for <internals@lists.php.net>; Sun, 18 Nov 2007 15:17:16 -0500
Received: by nz-out-0506.google.com with SMTP id x7so1061101nzc
        for <internals@lists.php.net>; Sun, 18 Nov 2007 12:17:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=oq6l7hrvswCVwDpmJb8apEjoc0T8uYy5Kj0T2mIDv8M=;
        b=p0dQpP+tEVMEgFxhP4j59rtccVDCBnR6ruOR8+B0Laq4AXDEl8ucZ3/RXi7AwXOfPP1tntIdftAM9bhy2bQEDOkMs/0MOFpKVw4JisVjpFQpjBzbj4MjXQhW118N86HPImlKHzK+dNcma3F1mtffsgOFvug7n2Z6ThQt8rfFHpM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=ATwZ7Zp6gBFMDjOSc1LDc2Eq3AUOGj2bvgfj+AV9oLKkuoSNYJowC0fBxBFHKjWbR59+WUPmVl9ZUkDcZUwHeUH4cFxePembrjG2kTkAdANj2uZk3p65/a16LhK8fqtOQ5kTQfPHXOVY7q0SD9WgVA88xWq+ZxQhkoOJFFSoyhM=
Received: by 10.140.88.42 with SMTP id l42mr1320754rvb.1195417033032;
        Sun, 18 Nov 2007 12:17:13 -0800 (PST)
Received: by 10.140.186.4 with HTTP; Sun, 18 Nov 2007 12:17:12 -0800 (PST)
Message-ID: <fbb0d11d0711181217q4832c62ev7966ac9e98b900b9@mail.gmail.com>
Date: Sun, 18 Nov 2007 15:17:12 -0500
To: "Stefan Esser" <stefan.esser@sektioneins.de>
Cc: "PHP internals" <internals@lists.php.net>
In-Reply-To: <47401946.2050406@sektioneins.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <47401946.2050406@sektioneins.de>
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: denials@gmail.com ("Dan Scott")

On 18/11/2007, Stefan Esser <stefan.esser@sektioneins.de> wrote:
> Good Morning,
>
> I just wanted to ask if there was ever a decision made that said tainted
> mode will go into PHP mainstream.
>
> Currently there are two implementations available:
>
> GRASP by Coresecurity
> * pro: byte level tainting which actually works
> * negativ: slow
>
> PHP Taint mode by Wietse Venema/IBM
> * pro: faster
> * negativ: broken design+insecure
>
> It is no secret that I don't like the idea of a taint mode in PHP
> because it cannot be made secure and fast at the same time.
> Coresecurity's GRASP is the best example for this it uses a secure
> design and is therefore slow. On the other hand it
> seems some people want the fast implementation of Wietse in the core
> which would be bad, because it is based on
> wrong assumptions and uses an insecure design that does only give a
> false sense of security.
>
> Examples for the wrong assumptions in PHP Taintmode:
> 1) _SERVER['PHP_SELF'] is not safe and allows XSS (and more) in many
> applications
> 2) Using mysql_real_escape_string() on user input does not make it safe
> for SQL. It only makes SQL strings safe.
> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
> is NOT secure but will result in no taint warning
> 3) Using htmlentities() on usr input does not make it safe for HTML
> output. It only makes it safe in some situations.
> Example:  echo '....<sometag  style="some-attribute:
> ',htmlentities($user_input),'">'. Will allow XSS through the style
> attribute without a taint warning
> Example2:  echo '....<img src="',htmlentities($user_input),'">'. Will
> allow XSS through javascript: URL (f.e. in Opera) without a taint warning

I believe the primary use case for taint mode would be to use it in
development: taint mode is a mode which can be turned on to give you
an idea of where your application may have exposed some
vulnerabilities; let you fix those identified vulnerabilities; then
turn off for production purposes. The speed of the implementation, if
this is indeed the intention for taint mode, would therefore be
irrelevant.

http://devzone.zend.com/node/view/id/1526#Heading3 suggests that we've
had this discussion before and almost came to agreement that taint
mode would be used as a development tool.

-- 
Dan Scott
Laurentian University