Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:88576
Return-Path: <xinchen.h@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87522 invoked from network); 30 Sep 2015 04:20:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Sep 2015 04:20:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=xinchen.h@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=laruence@php.net; sender-id=unknown
Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.213.47 as permitted sender)
X-PHP-List-Original-Sender: xinchen.h@zend.com
X-Host-Fingerprint: 209.85.213.47 mail-vk0-f47.google.com  
Received: from [209.85.213.47] ([209.85.213.47:33640] helo=mail-vk0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 25/B5-46083-5F26B065 for <internals@lists.php.net>; Wed, 30 Sep 2015 00:20:05 -0400
Received: by vkgd64 with SMTP id d64so18153358vkg.0
        for <internals@lists.php.net>; Tue, 29 Sep 2015 21:20:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-type;
        bh=Pb5/5AU7Dbv8Mz7V8WsYh8HivY39pliy0uLrvJGwDVQ=;
        b=jcsb2D3vXzwoxxdbWPyqNknHxDGDn+X++LM9DHez89vtrZ8tueGdT0RyVPLe2zCBS0
         r4jqf/1ocxzs5h0IuztVPBpas9D+W0RDryWHG/gTcJFNhLWcRZlAxpifdQWWmhUGk2GS
         4ZXgZEOg0LQIw2u8APP0q/s6dKRoAHDlY4gDKVR0PS5ktJVfKgTZQkG4y+mA0Eo5RAuy
         2vLX0nzCTI6hACnWih8s31CAHy3aAhSMQsTuXAJYg4J3C4Z34KkX5irRmY9Z1Blyb82i
         s/WFvwqJ+5LCBLCqDDs+uuRh0eV3T9XNCkbfngejACiVNJnf2oisCfN3x/gxenb6OD2r
         ZnGA==
X-Gm-Message-State: ALoCoQmgvcw5RHIG3VxzmaHpOKdNJX1phwaKF9vehgQ2pDUL6iyHMjK7jLgBHxHrBuqjZueKuOV9G3rO6XqcjtHQ4yKa+fx1hCNt1dnz6qcufVi/RzpNFFlQtw0vbVGEtTRxj2yXFuMFiuaNlZTXk7i4ZT6UidwGba+r0R5Z8mS03SKZZLWjGeI=
X-Received: by 10.31.8.12 with SMTP id 12mr1410086vki.69.1443586800930;
        Tue, 29 Sep 2015 21:20:00 -0700 (PDT)
Received: from mail-vk0-f44.google.com (mail-vk0-f44.google.com. [209.85.213.44])
        by smtp.gmail.com with ESMTPSA id x23sm2953238vkd.13.2015.09.29.21.19.59
        for <internals@lists.php.net>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 29 Sep 2015 21:19:59 -0700 (PDT)
Received: by vkgd64 with SMTP id d64so18152770vkg.0
        for <internals@lists.php.net>; Tue, 29 Sep 2015 21:19:59 -0700 (PDT)
X-Received: by 10.31.165.76 with SMTP id o73mr1428926vke.140.1443586799272;
 Tue, 29 Sep 2015 21:19:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.83.137 with HTTP; Tue, 29 Sep 2015 21:19:39 -0700 (PDT)
In-Reply-To: <55F9B6D6.9040806@gmail.com>
References: <BLU437-SMTP762BF68D5F013E39BF6AC6E95D0@phx.gbl>
 <CAJW__o3mCdAdm=jaLpLCSpWC4ekmc98CszcUKNr98qu5JgZBeQ@mail.gmail.com>
 <BLU437-SMTP66DB73C07E0C570EC13C4CE95D0@phx.gbl> <EBCBA455-F469-4D2A-B21A-B6EA3CE4FAEB@craigfrancis.co.uk>
 <55F842FE.6080502@dennis.birkholz.biz> <55F978FE.90908@cubiclesoft.com>
 <55F97ECF.3060006@sektioneins.de> <55F9B6D6.9040806@gmail.com>
Date: Wed, 30 Sep 2015 12:19:39 +0800
Message-ID: <CABBJUpdbW3An0p_Fs_QNGgaPr4A1ju4P-hjkevaoYrhYcXP9Xg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Stefan Esser <stefan.esser@sektioneins.de>, PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] taint
From: laruence@php.net (Xinchen Hui)

Hey:

On Thu, Sep 17, 2015 at 2:37 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
> Hi!
>
>>> Taint is blacklisting.
>>>
>> Last time I checked marking all user input as tainted and requiring
>> "untainting" before usage in sensitive functions is whitelisting and not
>> blacklisting.
>
> I would say it's neither - whitelisting is an explicit check (or fixing,
> to ensure) that the input matches certain conditions (blacklisting is
> the same but "does not match") - but taint actually doesn't do that. All
> it does is ensure you did *some* data fixing - it can't really ensure
> *what* you did, what were the results of the fixing and if the fixing
> you employed match the security context in which you are using the data.
> So taint does only the half of the work of either blacklist or whitelist
> - it ensures you didn't forget to do _something_, where something could
> be white-list. Or be something useless at all. That's the main thing one
> needs to remember when using taint - it doesn't do any work, it just
> reminds you to do work, and you still have to ensure the work is right.


Just for the record , Taint is ready for PHP7:
https://github.com/laruence/taint/tree/php7

thanks
> --
> Stas Malyshev
> smalyshev@gmail.com
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php



-- 
Xinchen Hui
@Laruence
http://www.laruence.com/