Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79019 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20374 invoked from network); 20 Nov 2014 07:11:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Nov 2014 07:11:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.173 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.223.173 mail-ie0-f173.google.com Received: from [209.85.223.173] ([209.85.223.173:38379] helo=mail-ie0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DE/A0-14967-3049D645 for ; Thu, 20 Nov 2014 02:10:59 -0500 Received: by mail-ie0-f173.google.com with SMTP id y20so2219072ier.32 for ; Wed, 19 Nov 2014 23:10:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=8k+lsBAaLAADDJq6nrX6F++A+RNpp+2ANkuFth0syq8=; b=RxMpYnKbwYh81UOFnbzniJC0M2KwnISiNTJsWCuEQmGClhKd4Ch6p38nA4mNSG6j5g B3AaYGvVSzBm/779x0+RKgphhFNY5KjmhrOhtBFuHz5xPOZHsvte1pzUvZs6EYcB6pRT x+n41AdHQKykK2QpDjfiMoVsjr0mAxqTUtda4aBvP9C1KEYfQBHWwXPJz05vyQuf58QZ 0Agw4vwrNVbmPRUkVEh1rTFoRpbC8/0SjlwqNzqBOx5rbSdDvn+AUQ1+WOXkbXFeJfy9 nq9ejzNhASmH7iiVqABYKwHycL0Mfl5IUqgmoLbf36taOtOR/KNOzxkY6vB6SSCLbWGB Gm+Q== X-Received: by 10.43.76.67 with SMTP id zd3mr6818019icb.42.1416467456488; Wed, 19 Nov 2014 23:10:56 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.107.164.217 with HTTP; Wed, 19 Nov 2014 23:10:15 -0800 (PST) In-Reply-To: <546D43B3.60708@gmail.com> References: <66B7B28C-2651-4A71-AC2A-55D4C7BB3DDC@ajf.me> <546D43B3.60708@gmail.com> Date: Thu, 20 Nov 2014 16:10:15 +0900 X-Google-Sender-Auth: 9UTVcXdDwvEbB0pYAnu8fz1fFRs Message-ID: To: Stanislav Malyshev Cc: Andrea Faulds , PHP Internals Content-Type: multipart/alternative; boundary=001a11c31e0c94872605084507f6 Subject: Re: [PHP-DEV] [RFC] Safe Casting Functions From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c31e0c94872605084507f6 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Thu, Nov 20, 2014 at 10:28 AM, Stanislav Malyshev wrote: > > I like this RFC overall. Precise parameter checks is good for security > > always. > > I don't see how it matters for security at all. If you need an int, > (int) works as well as any proposed check, security-wise. You may want > different diagnostics, etc. but this doesn't have to do much with > security. In other words, if the security depends on any differences > between (int) and to_int, it's probably not done right. Please refer to CWE/SANS TOP 25, Monster Mitigation especially. http://cwe.mitre.org/top25/#Mitigations and ISO 27000. (I cannot provide link to it, since one should buy the document to read) Programmer should control over all inputs as the most important security measure. There are two strategies in general. - Convert inputs to secure values and ignore possible attacks. (Sanitization) - Validate inputs to reject malformed values and record possible attacks. (Validation and logging) (int) is sanitization. It works, but it cannot log/detect possible attack (or bug). to_int can be used as validation. It has advantage to record possible attack (or bug). Logging is one of important security feature. Therefore, validation could be said more secure than sanitization. Which strategy to adopt is that depends on organization/application policy. Public web sites may ignore invalid inputs due to large amount of attacks while private web sites may require to record all possible attacks (or bugs), for example. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c31e0c94872605084507f6--