Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33268 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 10806 invoked by uid 1010); 18 Nov 2007 23:33:46 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 10790 invoked from network); 18 Nov 2007 23:33:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Nov 2007 23:33:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Windows 2000 SP4, XP SP1 Received: from [212.25.124.162] ([212.25.124.162:52512] helo=mx1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A5/12-31009-7DBC0474 for ; Sun, 18 Nov 2007 18:33:45 -0500 Received: from us-ex1.zend.com ([192.168.16.5]) by mx1.zend.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 19 Nov 2007 01:33:39 +0200 Received: from [192.168.17.92] ([192.168.17.92]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 18 Nov 2007 15:33:35 -0800 Message-ID: <4740CBCF.9070001@zend.com> Date: Sun, 18 Nov 2007 15:33:35 -0800 Organization: Zend Technologies User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Stefan Esser CC: Dan Scott , PHP internals References: <47401946.2050406@sektioneins.de> <4740B136.2080207@hardened-php.net> In-Reply-To: <4740B136.2080207@hardened-php.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Nov 2007 23:33:35.0536 (UTC) FILETIME=[70497B00:01C82A3B] Subject: Re: [PHP-DEV] Tainted Mode Decision From: stas@zend.com (Stanislav Malyshev) > The problem here is that both approaches fail to be completely secure > even when your test environment I don't think taint mode can be truly considered as security feature. It's rather a feature that would remind the developer he needs to think about security. Just as an alarm clock can wake you up, but can't ensure you actually will go to work and do something productive there, tainting can tell you that you need to take care of the variable, but can't ensure the care was right. While I agree with you on the analysis of the escaping security, I do not think that this necessarily makes the whole idea of tainting worthless. > has 100% code coverage. And I am speaking of real 100% ... Currently > there is no tool that can > ensure that. All PHP CC tools I know of so far will for example not > handle the ternary operator correctly. Most CC tools I know work on line-level, which makes quite hard for them to report on same-line branches, such as ternary operator. Of course they could report on opcode-level, but that'd be hard to read for the user :) So I believe most tools actually know about ternary operators, but can't report about them. -- Stanislav Malyshev, Zend Software Architect stas@zend.com http://www.zend.com/ (408)253-8829 MSN: stas@zend.com