Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:37209
Return-Path: <wietse@porcupine.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36014 invoked from network); 24 Apr 2008 13:57:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Apr 2008 13:57:34 -0000
Authentication-Results: pb1.pair.com smtp.mail=wietse@porcupine.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=wietse@porcupine.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain porcupine.org from 168.100.189.2 cause and error)
X-PHP-List-Original-Sender: wietse@porcupine.org
X-Host-Fingerprint: 168.100.189.2 spike.porcupine.org FreeBSD 2.0-4.2
Received: from [168.100.189.2] ([168.100.189.2:1263] helo=spike.porcupine.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 25/57-30653-DC190184 for <internals@lists.php.net>; Thu, 24 Apr 2008 09:57:33 -0400
Received: by spike.porcupine.org (Postfix, from userid 1001)
	id 239761F3E98; Thu, 24 Apr 2008 09:57:30 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=porcupine.org;
	s=dktest; t=1209045450; bh=Ctj132WPLuKP2Dm4GBTkMYQu4kCXajLBkEfgsP9E
	Ths=; h=Subject:To:Date:X-Time-Zone:X-Mailer:MIME-Version:
	 Content-Transfer-Encoding:Content-Type:Message-Id:From; b=pv8qKlTL
	nm2VMOSQ9fzz72G6uvRelUuCOFtXBNufNvs6FJmQmFBQ3WoTFY3aL7yJzSKMn2FxqHx
	cUODVVaDs6XA9VsVa0fMZ1w/e3bUfNfWg4c6kfO4dQkNCEzVvVtGuMJsiJ/NYa+l4O9
	lGU1m40V+N4FtFH5gO67xyzMfZ/BM=
To: internals@lists.php.net
Date: Thu, 24 Apr 2008 09:57:30 -0400 (EDT)
X-Time-Zone:  USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-ID: <20080424135730.239761F3E98@spike.porcupine.org>
Subject: PHP taint support update
From: wietse@porcupine.org ((Wietse Venema))

FYI,

Taint support for PHP 5.2.5 has been updated. The 20080423 version
improves support for PCRE, and fixes a harmless read-after-free bug.

The primary goal of this code is to help PHP application programmers
find and eliminate opportunities for HTML script injection, SQL or
shell code injection, or PHP control hijacking. It's off by default,
but can be configured to produce warnings or to terminate execution.

User-mode "make test" run-time overhead is 0.5-1.5%, as measured
on two different CPUs with the same OS and the same PHP executables.
The bench.php overhead is 2%, and presents a worst-case number for
compute-bound PHP applications that spend their entire life iterating
over tiny loops.

For more info, you can find links off http://wiki.php.net/rfc/taint/

I presented a talk this week to the NYPHP users group. You can find
a copy of my slides at http://www.nyphp.org/content/presentations/

	Wietse