Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33261
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82728 invoked by uid 1010); 18 Nov 2007 21:50:16 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 82713 invoked from network); 18 Nov 2007 21:50:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2007 21:50:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6
Received: from [81.169.159.221] ([81.169.159.221:58544] helo=mail.hardened-php.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 23/A6-21972-793B0474 for <internals@lists.php.net>; Sun, 18 Nov 2007 16:50:16 -0500
Received: from [127.0.0.1] (p50876CC9.dip.t-dialin.net [80.135.108.201])
	by mail.hardened-php.net (Postfix) with ESMTP id 91D521200B1;
	Sun, 18 Nov 2007 21:04:19 +0100 (CET)
Message-ID: <4740B390.3090003@hardened-php.net>
Date: Sun, 18 Nov 2007 22:50:08 +0100
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Steph Fox <steph@zend.com>
Cc: Stefan Esser <stefan.esser@sektioneins.de>,
	internals <internals@lists.php.net>
References: <47401946.2050406@sektioneins.de> <002801c82a1b$7a7c4ff0$e6dfc350@foxbox>
In-Reply-To: <002801c82a1b$7a7c4ff0$e6dfc350@foxbox>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: sesser@hardened-php.net (Stefan Esser)

Hi Steph,

>
> In a preliminary release for feedback purposes you talk about wrong
> assumptions? Surely this is the whole point of having a preliminary
> release for feedback :)
yes of course it is preliminary. But the whole idea is flawed. It is
assumed that a single function exists that makes user input secure for
HTML or for SQL. But infact there is not.

There exists a wide number of possible contexts like
1) SQL: Inside a SQL string
2) SQL: Inside a SQL table name
3) SQL: Inside a SQL field name (uncommon)
4) SQL: Inside a SQL comment
5) SQL: Where a numerical id is expected
6) ... possible others

All these different contexts need another way of preparation/escaping.
What kind of handling is actually needed can only be found out by
parsing the query and knowing what bytes are tained.
This cannot be done if you only use variable level tainting.

If you look at HTML it gets even more complicated because you have many
more possibilities like
1) HTML: Outside of a TAG
2) HTML: Inside a TAG
3) HTML: Inside an attribut of a style tag
4) HTML: Dangerous URLs in attributes
5) HTML: JavaScript between <script> tags
6) HTML: JavaScript inside a JS String
7) ....

That said the implicit untainting by use of mysql_real_escape_string()
and htmlentities() is simply not feasible.

Stefan Esser