Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33612 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46573 invoked by uid 1010); 3 Dec 2007 22:42:08 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 46558 invoked from network); 3 Dec 2007 22:42:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Dec 2007 22:42:08 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com Received: from [204.11.219.139] ([204.11.219.139:44334] helo=mail.lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 66/CC-02463-F3684574 for ; Mon, 03 Dec 2007 17:42:08 -0500 Received: from trainburn-lm.corp.yahoo.com (trainburn-lm.corp.yahoo.com [207.126.233.11]) (authenticated bits=0) by mail.lerdorf.com (8.14.2/8.14.2/Debian-1) with ESMTP id lB3Mg0wO008918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 3 Dec 2007 14:42:00 -0800 Message-ID: <47548638.9020709@lerdorf.com> Date: Mon, 03 Dec 2007 14:42:00 -0800 User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Stanislav Malyshev CC: Sara Golemon , PHP Internals References: <474F0EE7.8020201@php.net> <474F4E47.8050506@zend.com> <474F5E12.1050404@php.net> <474F5F75.3030808@zend.com> <475081DD.90404@php.net> <4750B3CA.20405@zend.com> <475101FF.5080103@lerdorf.com> <475482AF.3050800@zend.com> In-Reply-To: <475482AF.3050800@zend.com> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/4985/Mon Dec 3 12:50:32 2007 on colo.lerdorf.com X-Virus-Status: Clean Subject: Re: [PHP-DEV] Proposed feature for json_encode() From: rasmus@lerdorf.com (Rasmus Lerdorf) Stanislav Malyshev wrote: >> Stuff like this often isn't completely deterministic. The attack >> vectors will move around and new ones will be discovered but since the >> syntax Sara is proposing is completely valid JSON it gives people >> another tool. Documenting specific attack vectors is useful too, of >> course, but a secondary concern in my mind. > > I'm not talking about attack vectors and full security analysis. For me, > it is a primary concern having some security oriented feature to know > *what exactly* it does and when you should and should not use it. We > were burned repeatedly by implementing various cool features that were > misused for doing things that they weren't meant to do and then we were > blamed for it - so I think we need to have clear understanding of when > and why this feature is useful and explicitly document it. Otherwise > what would happen is that people would use this option, pass JS data > through it, stick it into DOM, get XSS and start blogging about "huge > XSS in supposedly secure json_encode() function in PHP". > Or, not seeing how it can help them, won't use it at all. This is just a different way of encoding Javascript which depending on the context of use will enable Javascript to be embedded securely. Not providing an alternate encoding is a bit like arguing that we shouldn't have base64_encode() because if used incorrectly it could be insecure. We don't have an explanation of when base64_encode() is useful in the docs, although I suppose we could come up with some scenarios for when you want to squeeze arbitrary data into the set of characters base64_encode() uses. Same thing for this json_encode() feature. We can come up with a set of scenarios where we would like to avoid having characters that are meaningful in XML and HTML show up in our json strings. -Rasmus