Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:35054
Return-Path: <wietse@porcupine.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66804 invoked by uid 1010); 31 Jan 2008 01:13:06 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 66789 invoked from network); 31 Jan 2008 01:13:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Jan 2008 01:13:06 -0000
Authentication-Results: pb1.pair.com smtp.mail=wietse@porcupine.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=wietse@porcupine.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain porcupine.org from 168.100.189.2 cause and error)
X-PHP-List-Original-Sender: wietse@porcupine.org
X-Host-Fingerprint: 168.100.189.2 spike.porcupine.org FreeBSD 2.0-4.2
Received: from [168.100.189.2] ([168.100.189.2:4137] helo=spike.porcupine.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D2/F1-49295-1A021A74 for <internals@lists.php.net>; Wed, 30 Jan 2008 20:13:06 -0500
Received: by spike.porcupine.org (Postfix, from userid 1001)
	id 8B9D71F3E98; Wed, 30 Jan 2008 20:13:02 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=porcupine.org;
	s=dktest; t=1201741982; bh=niTQxdm+AJ8EvxQpsoIGxAbhuHyjsgut/mwmXBiM
	5uM=; h=Subject:To:Date:X-Time-Zone:X-Mailer:MIME-Version:
	 Content-Transfer-Encoding:Content-Type:Message-Id:From; b=yPrRwiUU
	G4l3b/ZgwIdGz7Mk5vN1HpcRJ9VQUUGbsCUe3zzTw3q8sqkB/im9U6KbP3e5OBEOM5G
	FAnOB2nJqv9e13UXCvu4MFkJlgD9ErtbjXTOH3JGpu+JqiudIzVzUNP2k+yrTDTG/pR
	j41Ry4cQ8IFzGrkrpknMwgk3lmH4o=
To: internals@lists.php.net
Date: Wed, 30 Jan 2008 20:13:02 -0500 (EST)
X-Time-Zone:  USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-ID: <20080131011302.8B9D71F3E98@spike.porcupine.org>
Subject: PHP taint support updated
From: wietse@porcupine.org ((Wietse Venema))

I've uploaded a new version of taint support for PHP. You can find
all the files via:

    ftp://ftp.porcupine.org/pub/php/index.html

This version supports PHP 5.2.5, and fixes one typo in mysqli
support (thanks Adam Gundy). Little has changed because I wanted
to catch up with the current PHP release first.

What is taint support for PHP about?

This is a preliminary implementation of support for tainted variables
in PHP. The goal is to help PHP application programmers find and
eliminate opportunities for HTML script injection, SQL or shell
code injection, or PHP control hijacking, before other people can
exploit them. The implementation provides taint support for basic
operators and for a selection of built-functions and extensions.

For examples and details, see the README file, also on-line at:

    ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080130.README.html

I need your feedback to make this code complete. I hope to do
several quick 1-2 month release cycles in which I collect feedback,
fill in missing things, and adjust course until things stabilize.

	Wietse