Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88244 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96779 invoked from network); 16 Sep 2015 14:13:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Sep 2015 14:13:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=thruska@cubiclesoft.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=thruska@cubiclesoft.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cubiclesoft.com designates 74.208.222.236 as permitted sender) X-PHP-List-Original-Sender: thruska@cubiclesoft.com X-Host-Fingerprint: 74.208.222.236 u17593298.onlinehome-server.com Received: from [74.208.222.236] ([74.208.222.236:47151] helo=u17593298.onlinehome-server.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/8C-30198-50979F55 for ; Wed, 16 Sep 2015 10:13:25 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: thruska@cubiclesoft.com) with ESMTPSA id CD23B2050F References: <55F842FE.6080502@dennis.birkholz.biz> To: Internals Message-ID: <55F978FE.90908@cubiclesoft.com> Date: Wed, 16 Sep 2015 07:13:18 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 In-Reply-To: <55F842FE.6080502@dennis.birkholz.biz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] taint From: thruska@cubiclesoft.com (Thomas Hruska) On 9/15/2015 9:10 AM, Dennis Birkholz wrote: > Hi all, > > Am 15.09.2015 um 17:09 schrieb Craig Francis: >> 2015-09-14 4:44 GMT+02:00 Christopher Owen : >>> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. >> >> I would echo Kalle's suggestion of 7.1. >> >> But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even my own suggestion), but it seems the developers are more interested in features that make them seem cleaver, rather than pointing out their mistakes... > > the problem with taint support is to get it 100% right. If you leave one > edge case open, who is to blame? PHP or the developer that was totally > confident the taint support might warn him? You can grab the following four paragraphs and add it to whatever documentation on taint you might use. ==8<-------------------------- Taint is blacklisting. Blacklisting, in and of itself and regardless of the form it takes, is an immediate indicator of an application that is prone to security vulnerabilities and/or breakage that can lead to a vulnerability. With extraordinarily rare exceptions, blacklists are never 100% correct. Even if it can manage to reach 100% accuracy today, a blacklist will be out of date tomorrow due to advances in the field. While writing software being paired with a blacklist such as taint, performing an appropriate security audit of the software is the only truly effective approach to securing that software. ====8<------------------------ Problem solved. Also, those are ASCII scissors (in case anyone is wondering). As a side note, preg_match() is my current favorite blacklist indicator of "code with probable security vulnerabilities." If taint is added to PHP without a suitable caveat lector, it merely adds another tool to my psychological profiling arsenal. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/