Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33564
Return-Path: <indeyets@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33474 invoked by uid 1010); 1 Dec 2007 10:05:04 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 33459 invoked from network); 1 Dec 2007 10:05:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Dec 2007 10:05:04 -0000
Authentication-Results: pb1.pair.com header.from=indeyets@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=indeyets@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.184.226 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: indeyets@gmail.com
X-Host-Fingerprint: 64.233.184.226 wr-out-0506.google.com Linux 2.4/2.6
Received: from [64.233.184.226] ([64.233.184.226:15729] helo=wr-out-0506.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CA/01-23406-EC131574 for <internals@lists.php.net>; Sat, 01 Dec 2007 05:05:02 -0500
Received: by wr-out-0506.google.com with SMTP id 55so1571279wri
        for <internals@lists.php.net>; Sat, 01 Dec 2007 02:05:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=/NKIE8/t4IRpM6UHgfOQ59+Tvb6vXyybV/58xexJoRk=;
        b=qdbqHKuOj4w8eU1NjMYPNVhZwelzKiJ11u30zJLJi0+X2PGYSpLpTb2gNwcjMjPqa+YYJ2PNrdxgXJ3iHihvPbO9uGqRSZ3S0eVG6ZjcWgIfo3dXXIdriq5Dy2zKvL0krHVRSpQYyBihURWdEy9jBOPEKDsV4sZDLiddhvrf76Y=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=QX4m9beCZEzw0YHR4D3r7a3Jg48uERy62R539JoKJz6k0BLNs7AL/MZrMqtYz0N6a4DOvgIj3slq7MPYKkSxMtO9QgGia97xJHhEgrXt6v5wZIJE/liycOG24C3f3iR5oftiOl1d+Y2dRgOenQwD7NthmXVmKhvi2YZpBW3Qfv0=
Received: by 10.150.152.17 with SMTP id z17mr2204566ybd.1196503499890;
        Sat, 01 Dec 2007 02:04:59 -0800 (PST)
Received: by 10.150.57.12 with HTTP; Sat, 1 Dec 2007 02:04:59 -0800 (PST)
Message-ID: <cd5680a20712010204u557f55cfxb0466a232db35f38@mail.gmail.com>
Date: Sat, 1 Dec 2007 13:04:59 +0300
To: "Rasmus Lerdorf" <rasmus@lerdorf.com>
Cc: "Stanislav Malyshev" <stas@zend.com>, "Sara Golemon" <pollita@php.net>, 
	omar@php.net, "PHP Internals" <internals@lists.php.net>
In-Reply-To: <475101FF.5080103@lerdorf.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <474F0EE7.8020201@php.net> <474F4E47.8050506@zend.com>
	 <474F5E12.1050404@php.net> <474F5F75.3030808@zend.com>
	 <475081DD.90404@php.net> <4750B3CA.20405@zend.com>
	 <475101FF.5080103@lerdorf.com>
Subject: Re: [PHP-DEV] Proposed feature for json_encode()
From: indeyets@gmail.com ("Alexey Zakhlestin")

Is such filtering specific to JSON? Does it have some use out of JSON-context?
Maybe it would be better to provide a set of functions for encoding
characters into '\u'-entities? (similiar to htmlentities,
htmlspecialchars)

because if we speak of 'theoretical' problem, we might end
reimplementing this for some other function later

On 12/1/07, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:
> Stanislav Malyshev wrote:
> >> I can't because I don't know of any successful vectors *currently*.  I
> >> also would have sworn that echoing htmlentified data was safe....until
> >> I came across a browser where it wasn't.
> >
> > So that's what I wanted to understand, because if we add this feature,
> > we should give some explanation on when to use it and what it does, and
> > I don't think I understand that, so I guess it would help to have such
> > explanation.
>
> Stuff like this often isn't completely deterministic.  The attack
> vectors will move around and new ones will be discovered but since the
> syntax Sara is proposing is completely valid JSON it gives people
> another tool.  Documenting specific attack vectors is useful too, of
> course, but a secondary concern in my mind.
>
> I don't think we have ever documented some of the vectors against
> htmlentities(), for example.  Even with the latest character encoding
> fixes, there are still contextual attack vectors where doing
> htmlentities() on user data doesn't help you at all.  For the curious,
> try this:
>
> <?php $foo = htmlspecialchars($_GET['foo'], ENT_QUOTES);?>
> <a href="" onmouseover="a='<?php echo $foo?>';">Mouse Over Me</a>
>
> Then try hitting the page and set ?foo=';alert(0);//
>
> This doesn't mean there is anything wrong with htmlentities(), of
> course, it simply means it was used in the wrong context and another
> mechanism is needed here.
>
> I don't think it is hard to imagine that there are times when it would
> be nice to be able to move JSON data around in a context in which html
> tags and quotes might be inconvenient.  Instead of applying a filter on
> top of it, having a version of json that doesn't have these is quite useful.
>
> -Rasmus
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Alexey Zakhlestin
http://blog.milkfarmsoft.com/