Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33262 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 85277 invoked by uid 1010); 18 Nov 2007 21:54:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 85262 invoked from network); 18 Nov 2007 21:54:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Nov 2007 21:54:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 85.10.196.195 cause and error) X-PHP-List-Original-Sender: mls@pooteeweet.org X-Host-Fingerprint: 85.10.196.195 serveforce1.backendmedia.com Linux 2.6 Received: from [85.10.196.195] ([85.10.196.195:54674] helo=serveforce1.backendmedia.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 06/F6-21972-084B0474 for ; Sun, 18 Nov 2007 16:54:09 -0500 Received: from [192.168.0.163] (77-57-23-243.dclient.hispeed.ch [77.57.23.243]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by serveforce1.backendmedia.com (Postfix) with ESMTP id 32A3D122417E; Sun, 18 Nov 2007 22:54:29 +0100 (CET) In-Reply-To: <4740B136.2080207@hardened-php.net> References: <47401946.2050406@sektioneins.de> <4740B136.2080207@hardened-php.net> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: <4217C4AB-1725-4D54-95D0-82262DB012BC@pooteeweet.org> Cc: Dan Scott , Stefan Esser , PHP internals Content-Transfer-Encoding: 7bit Date: Sun, 18 Nov 2007 22:53:55 +0100 To: Stefan Esser X-Mailer: Apple Mail (2.752.3) X-backendmedia-com-MailScanner-Information: Please contact the ISP for more information X-backendmedia-com-MailScanner: Found to be clean X-backendmedia-com-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.143, required 6, AWL 0.04, RDNS_DYNAMIC 0.10) X-backendmedia-com-MailScanner-From: mls@pooteeweet.org X-Spam-Status: No Subject: Re: [PHP-DEV] Tainted Mode Decision From: mls@pooteeweet.org (Lukas Kahwe Smith) On 18.11.2007, at 22:40, Stefan Esser wrote: > Hi Dan, >> I believe the primary use case for taint mode would be to use it in >> development: taint mode is a mode which can be turned on to give you >> an idea of where your application may have exposed some >> vulnerabilities; let you fix those identified vulnerabilities; then >> turn off for production purposes. The speed of the implementation, if >> this is indeed the intention for taint mode, would therefore be >> irrelevant. > The problem here is that both approaches fail to be completely secure > even when your test environment > has 100% code coverage. And I am speaking of real 100% ... Currently > there is no tool that can > ensure that. All PHP CC tools I know of so far will for example not > handle the ternary operator correctly. Stefan so what is your point then? Since neither can be 100% secure, do not use any? Or just do not bundle either? There is nothing like 100% secure for anything that allows user access (and of course I am not telling you any news with this). I like the "its a development tool" kind of thinking that Dan brought to the table. From what I understand the heavy duty approach could be a very good tool to check for security risks and would just be one tool in the shed along with suhoshin, xss scanner and not forget common sense and security audits. Now if the two proposed solutions are ready yet is another question (where I do trust your expertise - and hopefully also of other security experts - to give us a good basis for judgement). regards, Lukas