Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88221 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97749 invoked from network); 15 Sep 2015 23:12:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Sep 2015 23:12:49 -0000 Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com Received: from [209.85.212.170] ([209.85.212.170:37884] helo=mail-wi0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2F/00-30198-FE5A8F55 for ; Tue, 15 Sep 2015 19:12:47 -0400 Received: by wicfx3 with SMTP id fx3so47195867wic.0 for ; Tue, 15 Sep 2015 16:12:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=0/rjaNeiTHG4YymtFkLgBgo3hia974Kx4quvKkNBuv0=; b=YmQMu7EvZL9CEadMVBTtw+a2VELKBWdYouM1VPNwYFU20n7YlZyzY3AdQPnHN9nRAx nz992S84J46d0tqA1zW5f38qwwBjpobJo6eD6k/455DRw9WEEiajOEg1KOjkc/dJuUJb S/L4sjoepxak8d2vjYAzbiblwvzWdO43Gov9GVZ9n4mKw48y6+UkdjLucal3gJ0JyGfr pNYFPusaBp09hdnUzf2pOY4ZARh83CmY4OJsb1ySze413nzuN0ZnfSnhpHSgDUKrD4pf kdsblqa+cO8rjBhjsiA5q1ayTTGvNQ6WIw86Q+0TiDbB+aYF3T6gwBylrDC+0oywzvLT FQ2Q== X-Received: by 10.194.105.73 with SMTP id gk9mr48527667wjb.122.1442358764225; Tue, 15 Sep 2015 16:12:44 -0700 (PDT) Received: from [192.168.1.27] (89.Red-88-19-162.staticIP.rima-tde.net. [88.19.162.89]) by smtp.gmail.com with ESMTPSA id d1sm1370144wiz.0.2015.09.15.16.12.43 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 15 Sep 2015 16:12:43 -0700 (PDT) Message-ID: <55F8A5EA.5080205@gmail.com> Date: Wed, 16 Sep 2015 01:12:42 +0200 User-Agent: Thunderbird MIME-Version: 1.0 To: Anthony Ferrara , PHP Developers Mailing List CC: wietse@porcupine.org, craig@craigfrancis.co.uk References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] taint From: keisial@gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) On 15/09/15 18:23, Anthony Ferrara wrote: > Third, it ignores context. This is related to the first two, but I > think is a separate concern. An example from the taint RFC > (https://wiki.php.net/rfc/taint) is the shell-execution. If the > variable is used in the context of command, one escape function is > needed. If it's used as an argument, another is needed. Detecting > which is not something that's trivial for a language-level taint > function. (…) Actually, you almost always will want escapeshellarg(). escapeshellcmd() _might_ be useful for a code like the function example, where you want the user to explicitely provide *several* parameters, *and* you somehow don't want to split by spaces and apply escapeshellarg to each. And even then, there are non-working edge-cases awaiting to bite you, as shown in the comments. You have a good point, but escapeshellcmd or "let's change the SQL encoding" are things that you better avoid, security-wise. Best regards