Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33291 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24442 invoked by uid 1010); 19 Nov 2007 07:34:56 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 24427 invoked from network); 19 Nov 2007 07:34:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Nov 2007 07:34:56 -0000 Authentication-Results: pb1.pair.com smtp.mail=sebastian@nohn.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=sebastian@nohn.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain nohn.net designates 85.214.77.40 as permitted sender) X-PHP-List-Original-Sender: sebastian@nohn.net X-Host-Fingerprint: 85.214.77.40 bxpcsr02.nohn.net Linux 2.5 (sometimes 2.4) (4) Received: from [85.214.77.40] ([85.214.77.40:41659] helo=bxpcsr02.nohn.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/A1-31009-F9C31474 for ; Mon, 19 Nov 2007 02:34:55 -0500 Received: from localhost (localhost [127.0.0.1]) by bxpcsr02.nohn.net (Postfix) with ESMTP id B52E1938003; Mon, 19 Nov 2007 08:34:52 +0100 (CET) Received: from bxpcsr02.nohn.net ([127.0.0.1]) by localhost (h939937.serverkompetenz.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14343-02; Mon, 19 Nov 2007 08:34:52 +0100 (CET) Received: from [10.161.151.133] (gprs-pool-1-012.eplus-online.de [212.23.126.12]) by bxpcsr02.nohn.net (Postfix) with ESMTP id F260E938002; Mon, 19 Nov 2007 08:34:48 +0100 (CET) Message-ID: <47413B31.5070304@nohn.net> Date: Mon, 19 Nov 2007 08:28:49 +0100 User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Stefan Esser CC: PHP internals References: <47401946.2050406@sektioneins.de> In-Reply-To: <47401946.2050406@sektioneins.de> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Tainted Mode Decision From: sebastian@nohn.net (Sebastian Nohn) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stefan, Stefan Esser wrote: > GRASP by Coresecurity > * pro: byte level tainting which actually works > * negativ: slow > > PHP Taint mode by Wietse Venema/IBM > * pro: faster > * negativ: broken design+insecure I don't see a big problem with having a slow but working taint mode in development environments while not having a taint mode in production environments. The question - as always - is, how big the performance impact really is. - - Sebastian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFHQTsxsvwfldR9VeARAj0dAJ9KGDy0g92AK0sB+kpWxGn3k52NjACgnbt8 3J6K0b7bOuIXWrH3F5ylnHs= =kb6h -----END PGP SIGNATURE-----