Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33563
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6729 invoked by uid 1010); 1 Dec 2007 06:41:15 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 6714 invoked from network); 1 Dec 2007 06:41:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Dec 2007 06:41:15 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com  
Received: from [204.11.219.139] ([204.11.219.139:46652] helo=mail.lerdorf.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E9/15-04635-A0201574 for <internals@lists.php.net>; Sat, 01 Dec 2007 01:41:15 -0500
Received: from trainburn-lm-corp-yahoo-com.local (186.099.dsl.brs.iprimus.net.au [211.26.64.186])
	(authenticated bits=0)
	by mail.lerdorf.com (8.14.2/8.14.2/Debian-1) with ESMTP id lB16f7Kw028560
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Fri, 30 Nov 2007 22:41:09 -0800
Message-ID: <475101FF.5080103@lerdorf.com>
Date: Sat, 01 Dec 2007 16:41:03 +1000
User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031)
MIME-Version: 1.0
To: Stanislav Malyshev <stas@zend.com>
CC: Sara Golemon <pollita@php.net>, omar@php.net,
        PHP Internals <internals@lists.php.net>
References: <474F0EE7.8020201@php.net> <474F4E47.8050506@zend.com> <474F5E12.1050404@php.net> <474F5F75.3030808@zend.com> <475081DD.90404@php.net> <4750B3CA.20405@zend.com>
In-Reply-To: <4750B3CA.20405@zend.com>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.91.2/4966/Fri Nov 30 16:16:56 2007 on colo.lerdorf.com
X-Virus-Status: Clean
Subject: Re: [PHP-DEV] Proposed feature for json_encode()
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Stanislav Malyshev wrote:
>> I can't because I don't know of any successful vectors *currently*.  I
>> also would have sworn that echoing htmlentified data was safe....until
>> I came across a browser where it wasn't.
> 
> So that's what I wanted to understand, because if we add this feature,
> we should give some explanation on when to use it and what it does, and
> I don't think I understand that, so I guess it would help to have such
> explanation.

Stuff like this often isn't completely deterministic.  The attack
vectors will move around and new ones will be discovered but since the
syntax Sara is proposing is completely valid JSON it gives people
another tool.  Documenting specific attack vectors is useful too, of
course, but a secondary concern in my mind.

I don't think we have ever documented some of the vectors against
htmlentities(), for example.  Even with the latest character encoding
fixes, there are still contextual attack vectors where doing
htmlentities() on user data doesn't help you at all.  For the curious,
try this:

<?php $foo = htmlspecialchars($_GET['foo'], ENT_QUOTES);?>
<a href="" onmouseover="a='<?php echo $foo?>';">Mouse Over Me</a>

Then try hitting the page and set ?foo=';alert(0);//

This doesn't mean there is anything wrong with htmlentities(), of
course, it simply means it was used in the wrong context and another
mechanism is needed here.

I don't think it is hard to imagine that there are times when it would
be nice to be able to move JSON data around in a context in which html
tags and quotes might be inconvenient.  Instead of applying a filter on
top of it, having a version of json that doesn't have these is quite useful.

-Rasmus