Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88195 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71901 invoked from network); 14 Sep 2015 21:17:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Sep 2015 21:17:24 -0000 Authentication-Results: pb1.pair.com header.from=christopher.owen@live.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=christopher.owen@live.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain live.com designates 65.55.111.90 as permitted sender) X-PHP-List-Original-Sender: christopher.owen@live.com X-Host-Fingerprint: 65.55.111.90 blu004-omc2s15.hotmail.com Received: from [65.55.111.90] ([65.55.111.90:61665] helo=BLU004-OMC2S15.hotmail.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F5/F3-48700-16937F55 for ; Mon, 14 Sep 2015 17:17:22 -0400 Received: from BLU437-SMTP66 ([65.55.111.73]) by BLU004-OMC2S15.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 14 Sep 2015 14:17:19 -0700 X-TMN: [csdcjgFH3OZIUKXDIDAZcFaHkBF9u1Za] X-Originating-Email: [christopher.owen@live.com] Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_F932D8BA-A931-41DD-9711-4B4EE6A3228D" MIME-Version: 1.0 (Mac OS X Mail 9.0 \(3093\)) In-Reply-To: Date: Mon, 14 Sep 2015 15:17:15 -0600 CC: Internals , wietse@porcupine.org, laruence@php.net References: To: Kalle Sommer Nielsen X-Mailer: Apple Mail (2.3093) X-OriginalArrivalTime: 14 Sep 2015 21:17:17.0726 (UTC) FILETIME=[BC1E73E0:01D0EF32] Subject: Re: [PHP-DEV] taint From: christopher.owen@live.com (Christopher Owen) --Apple-Mail=_F932D8BA-A931-41DD-9711-4B4EE6A3228D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" > On Sep 14, 2015, at 1:35 PM, Kalle Sommer Nielsen = wrote: >=20 > Hi Christopher >=20 > 2015-09-14 4:44 GMT+02:00 Christopher Owen = : >> Please consider making =E2=80=98taint=E2=80=99 a first-class = feature/extension in PHP 7.0. >=20 > It is way too late for any extension to be included in the 7.0 release > now, but you can write an RFC targetting 7.1, please see the wiki for > more details[1]. Thank you for the advice; it makes much more sense to target 7.1. We can see that Wietse Venema; the same man who wrote the highly = regarded, security hardened email software Postfix; has authored an RFC = for taint's inclusion to PHP the past [1]. Also, a reference = implementation has been most recently championed by Xinchen (Laruence) = Hui, a core php developer [2]. Given those that came before me, I=E2=80=99m not certain that I can add = much in the way of reputation or skill to the request to add taint as a = first-class feature of PHP 7.1, but if there are any procedural efforts = required then I will be happy to champion them. I can add that I have personally found taint (either in its original = form in perl[3] or as an extension in php) a valuable tool in = refactoring legacy php code to reduce SQL injection attack surface. As authorative internet =E2=80=98top ten=E2=80=99 lists will list SQL = injection as the number one security vulnerability facing web = applications [4] and given the scale of deployed php, efforts to improve = tooling (or in this case, the availability of existing tooling) to = discover this class of vulnerabilities will have a positive impact on a = global scale. Kind regards, Christopher Owen. [1] https://wiki.php.net/rfc/taint [2] http://pecl.php.net/package/taint = =20 [3] http://perldoc.perl.org/perlsec.html#Taint-mode = [4] = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf = = --Apple-Mail=_F932D8BA-A931-41DD-9711-4B4EE6A3228D--