Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33263
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86981 invoked by uid 1010); 18 Nov 2007 21:56:40 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 86966 invoked from network); 18 Nov 2007 21:56:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2007 21:56:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6
Received: from [81.169.159.221] ([81.169.159.221:56390] helo=mail.hardened-php.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 13/47-21972-715B0474 for <internals@lists.php.net>; Sun, 18 Nov 2007 16:56:39 -0500
Received: from [127.0.0.1] (p50876CC9.dip.t-dialin.net [80.135.108.201])
	by mail.hardened-php.net (Postfix) with ESMTP id C50681200B1;
	Sun, 18 Nov 2007 21:10:42 +0100 (CET)
Message-ID: <4740B510.6040206@hardened-php.net>
Date: Sun, 18 Nov 2007 22:56:32 +0100
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Lukas Kahwe Smith <mls@pooteeweet.org>
Cc: Nuno Lopes <nlopess@php.net>,
	Stefan Esser <stefan.esser@sektioneins.de>,
	PHP internals <internals@lists.php.net>
References: <47401946.2050406@sektioneins.de> <006101c829d9$5e2f0140$4101a8c0@pc07653> <4740375B.5020706@hardened-php.net> <D758C320-D547-42C8-BA99-8BFD3A9E3C65@pooteeweet.org>
In-Reply-To: <D758C320-D547-42C8-BA99-8BFD3A9E3C65@pooteeweet.org>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: sesser@hardened-php.net (Stefan Esser)

Hello Lukas,

> I wonder how other languages solve this dilemma? Like how does Ruby's
> taint model work? What are the experience there? Are there any other
> languages that have a taint model?
I don't know exactly what they do, but if I am not completely mistaken
the difference is simple.

AFAIK perl has variable level tainting, but does not have implicit
untainting.

That means the developer has to use something like untaint($variable)
whenever he wants to use tainted input.
This means the developer can only use tainted input when he THINKS and
explicitly untaint()s it. He is
responsible for bad decisions like using the wrong escaping function and
telling perl that he untaint()ed the input.

This is different from the implicit untainting through htmlentities()
and mysql_real_escape_string() because there
are obviously cases where these functions are the WRONG functions and
the developer will never realise this
because he was not taught to untaint() himself only when he is sure...

Stefan Esser