Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88214 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60414 invoked from network); 15 Sep 2015 15:09:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Sep 2015 15:09:08 -0000 Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 209.85.212.178 as permitted sender) X-PHP-List-Original-Sender: craig@craigfrancis.co.uk X-Host-Fingerprint: 209.85.212.178 mail-wi0-f178.google.com Received: from [209.85.212.178] ([209.85.212.178:35645] helo=mail-wi0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/56-28087-29438F55 for ; Tue, 15 Sep 2015 11:09:06 -0400 Received: by wicge5 with SMTP id ge5so33534569wic.0 for ; Tue, 15 Sep 2015 08:09:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OWFuOs7PcrnUd6rZff6Un9oGI7oah1CBelokt/sKyGc=; b=A5dhQdeEI7HCcbIFy2ZVstKpwKu8h2+FipT7qF5t7eE8stD0hNJDathhTak/eC8xyk jl1sT8YfkOvA5j1nR6UEI3/xXfVDiBW1CeH+76EGxzV3u1ctpLVtDPR86gYUar0i2VXk ErS7LCTBgXJXyRqxpZeNxcICMh30JZgAz5BLw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=OWFuOs7PcrnUd6rZff6Un9oGI7oah1CBelokt/sKyGc=; b=RjZfkozzepIJYRxSpvOjRyBsn1JNBfkmNUSTohNgVkec0bZW0BdSsUhebnUp7H3Ubs ZhuFF2sdCaJn0/eHihKG9otTjBH2vpqKoiXLfjsUl7VhFDDK0+7ZsMzGPK/2iQm0TI2h qj6BNo2Xr6fY9x4S4qyTYl6ZmGz3e5Ru655rKwRmmJ1Y6m2NJqQ3q/obxWfYv/3hQ4sH Wa4zGBXRlbk6BoZloFr307w1vmxOj7z17sYm4iqI9oERLrWj207GZzJ0iP/+5wxurodH DWZFx/aFhGB2g6r5lroAuViKPvAIObU9VWLGFsVnu1krV8sorLHR2oGVPLOK831xjG+b S9Kg== X-Gm-Message-State: ALoCoQkmrFsQ2vMz0/gtoD8Rmy5ACorOsXB/oTleEMc5ZKhl3VchjBwLgBb21lquPiDspq9Ky19H X-Received: by 10.180.87.230 with SMTP id bb6mr8126973wib.26.1442329742806; Tue, 15 Sep 2015 08:09:02 -0700 (PDT) Received: from [192.168.1.12] (cpc79329-chap9-2-0-cust385.18-1.cable.virginm.net. [82.44.123.130]) by smtp.gmail.com with ESMTPSA id i9sm4448728wjz.20.2015.09.15.08.09.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 15 Sep 2015 08:09:01 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) In-Reply-To: Date: Tue, 15 Sep 2015 16:09:00 +0100 Cc: Kalle Sommer Nielsen , Internals , wietse@porcupine.org, laruence@php.net Content-Transfer-Encoding: quoted-printable Message-ID: References: To: Christopher Owen X-Mailer: Apple Mail (2.1878.6) Subject: Re: [PHP-DEV] taint From: craig@craigfrancis.co.uk (Craig Francis) 2015-09-14 4:44 GMT+02:00 Christopher Owen : > Please consider making =91taint=92 a first-class feature/extension in = PHP 7.0. I would echo Kalle's suggestion of 7.1. But I think you will find it hard to get support... I was pushing this a = few weeks ago (either the one from Wietse Venema, the one from Matt = Tait, or even my own suggestion), but it seems the developers are more = interested in features that make them seem cleaver, rather than pointing = out their mistakes... And yes, I am intentionally trying to be provocative. I'm annoyed that so much time was spent on type hinting, just so we can = enforce [bool/float/int/string], yet most of the time it is the encoding = of strings that introduces security problems - not just SQLi, but also = things like XSS. Craig On 14 Sep 2015, at 22:17, Christopher Owen = wrote: >=20 >> On Sep 14, 2015, at 1:35 PM, Kalle Sommer Nielsen = wrote: >>=20 >> Hi Christopher >>=20 >> 2015-09-14 4:44 GMT+02:00 Christopher Owen = : >>> Please consider making =91taint=92 a first-class feature/extension = in PHP 7.0. >>=20 >> It is way too late for any extension to be included in the 7.0 = release >> now, but you can write an RFC targetting 7.1, please see the wiki for >> more details[1]. >=20 > Thank you for the advice; it makes much more sense to target 7.1. >=20 > We can see that Wietse Venema; the same man who wrote the highly = regarded, security hardened email software Postfix; has authored an RFC = for taint's inclusion to PHP the past [1]. Also, a reference = implementation has been most recently championed by Xinchen (Laruence) = Hui, a core php developer [2]. >=20 > Given those that came before me, I=92m not certain that I can add much = in the way of reputation or skill to the request to add taint as a = first-class feature of PHP 7.1, but if there are any procedural efforts = required then I will be happy to champion them. >=20 > I can add that I have personally found taint (either in its original = form in perl[3] or as an extension in php) a valuable tool in = refactoring legacy php code to reduce SQL injection attack surface. >=20 > As authorative internet =91top ten=92 lists will list SQL injection as = the number one security vulnerability facing web applications [4] and = given the scale of deployed php, efforts to improve tooling (or in this = case, the availability of existing tooling) to discover this class of = vulnerabilities will have a positive impact on a global scale. >=20 > Kind regards, > Christopher Owen. >=20 > [1] https://wiki.php.net/rfc/taint > [2] http://pecl.php.net/package/taint = =20 > [3] http://perldoc.perl.org/perlsec.html#Taint-mode = > [4] = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf =