Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88257 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35216 invoked from network); 16 Sep 2015 18:37:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Sep 2015 18:37:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.41 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.41 mail-pa0-f41.google.com Received: from [209.85.220.41] ([209.85.220.41:32828] helo=mail-pa0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AC/C5-04557-BD6B9F55 for ; Wed, 16 Sep 2015 14:37:15 -0400 Received: by pacex6 with SMTP id ex6so216651486pac.0 for ; Wed, 16 Sep 2015 11:37:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=wABj+vdWc3xCdPbaUwIUqbzSg1C0Ka3TJqReaskJwos=; b=FG6BrvU1oQjlc38B9DCOVgVD2iT2jWYa9uhSAA/X43OS//uMzNq5MuG77V3eKHcbYS DlQRTBmGe8NzmQlj7/gxd+kfLm8D1cyV/lDEGOUNMOygSo1cc2SixJIuhwJDkw/faxEc Hc9nP2ZfBU/KTnrdaRlNbcg5Zh7KU4QOFLfexhVEkL5UFbpOzY0j7y0BbMZWvzgLI73x o5Mo1uftA6mbjuhFGZZLDfpbjCpvbgtb9J45q3wpkXlqxxImhUw0va4T2kVXyg0pz69A N63gl74YJuh32CwtODnQK52d9UXPnjVkmDTMpfwKVXbH6pSG/DMFsfKYK1VgyK77c0ZZ rSig== X-Received: by 10.68.221.198 with SMTP id qg6mr63313903pbc.147.1442428632499; Wed, 16 Sep 2015 11:37:12 -0700 (PDT) Received: from Stas-Air.local ([166.170.41.21]) by smtp.gmail.com with ESMTPSA id fm5sm2432561pab.24.2015.09.16.11.37.11 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Sep 2015 11:37:12 -0700 (PDT) To: Stefan Esser , internals@lists.php.net References: <55F842FE.6080502@dennis.birkholz.biz> <55F978FE.90908@cubiclesoft.com> <55F97ECF.3060006@sektioneins.de> X-Enigmail-Draft-Status: N1110 Message-ID: <55F9B6D6.9040806@gmail.com> Date: Wed, 16 Sep 2015 11:37:10 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55F97ECF.3060006@sektioneins.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] taint From: smalyshev@gmail.com (Stanislav Malyshev) Hi! >> Taint is blacklisting. >> > Last time I checked marking all user input as tainted and requiring > "untainting" before usage in sensitive functions is whitelisting and not > blacklisting. I would say it's neither - whitelisting is an explicit check (or fixing, to ensure) that the input matches certain conditions (blacklisting is the same but "does not match") - but taint actually doesn't do that. All it does is ensure you did *some* data fixing - it can't really ensure *what* you did, what were the results of the fixing and if the fixing you employed match the security context in which you are using the data. So taint does only the half of the work of either blacklist or whitelist - it ensures you didn't forget to do _something_, where something could be white-list. Or be something useless at all. That's the main thing one needs to remember when using taint - it doesn't do any work, it just reminds you to do work, and you still have to ensure the work is right. -- Stas Malyshev smalyshev@gmail.com