Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88638 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25783 invoked from network); 2 Oct 2015 09:42:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Oct 2015 09:42:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 209.85.212.174 as permitted sender) X-PHP-List-Original-Sender: craig@craigfrancis.co.uk X-Host-Fingerprint: 209.85.212.174 mail-wi0-f174.google.com Received: from [209.85.212.174] ([209.85.212.174:34712] helo=mail-wi0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7A/47-23989-1715E065 for ; Fri, 02 Oct 2015 05:42:09 -0400 Received: by wicfx3 with SMTP id fx3so25696533wic.1 for ; Fri, 02 Oct 2015 02:42:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wH6LdATNPAMUBTa8PVECNZdXnrFwgZuzFvqITCyB3j4=; b=hDOtZ5hiMCigRraqc5cyEmeq3EzNP/TSjcI133HWyo+wnXk8w9apy/u8npKQTmtgNd nJ/Wdqy0G5veZVHKxtvNk8bvBW9ATJaNB+cyVoE/360hfyT9ee5nIrg7WylGaQhhVs3W 1FH4mbNUEfH1AJY3aF6hjyEw+JdSVHTYNiLgk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=wH6LdATNPAMUBTa8PVECNZdXnrFwgZuzFvqITCyB3j4=; b=GXyiliRDvbx+7rmJooHNpFwKz3k7ua2eLZNCkNy9ot/SsL9WjlP6zaMgiP7tZbAWeF ykkG8CRYEi7sCT6ZY6ejI3zgifvaIR/gnOG4xvxs+os8rRgSqW4f46XnUKYKIVs2g+4B ZkANf16fzZm8qK78OHIMwlW1mY/v/Lkax3Qt9dXyXpcETe5ct4W7Mr7z7lUFnl2vKFU0 cq3Urm+ufxUh6qfIwGI4id6MZNvnjq0PRS5m3l+VzYpMBbAahtwZKjw3K2EynWK9xbn8 /BZK4v8HSS+PqdUkO1d/bNYtTGJl4mAuxm2Z/867yq03cLm7wLYFo8t3eI3G1bABQ448 kPlw== X-Gm-Message-State: ALoCoQk6v2UqXrghvxl0zb5S/yIjAj/bWTB7LfT9sdIX7Or3lZMzruyxOMELaGJTU5sy5UngEZdG X-Received: by 10.180.90.33 with SMTP id bt1mr3137099wib.59.1443778926758; Fri, 02 Oct 2015 02:42:06 -0700 (PDT) Received: from [192.168.1.12] (cpc79329-chap9-2-0-cust385.18-1.cable.virginm.net. [82.44.123.130]) by smtp.gmail.com with ESMTPSA id pk7sm10457207wjb.2.2015.10.02.02.42.05 (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 02 Oct 2015 02:42:06 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) In-Reply-To: <55F978FE.90908@cubiclesoft.com> Date: Fri, 2 Oct 2015 10:42:03 +0100 Cc: Internals Content-Transfer-Encoding: quoted-printable Message-ID: <827FEAD0-30B5-45AB-B7D7-93E4C6611BE5@craigfrancis.co.uk> References: <55F842FE.6080502@dennis.birkholz.biz> <55F978FE.90908@cubiclesoft.com> To: Thomas Hruska X-Mailer: Apple Mail (2.1878.6) Subject: Re: [PHP-DEV] taint From: craig@craigfrancis.co.uk (Craig Francis) Just to add to the white/black listing argument... I would say that tainting is a whitelist approach, as everything is = blocked by default (seen as untainted), and you need to escape your = variables depending on the context they will be used in (or go out of = your way to say it has already been escaped, for the rare edge cases = mentioned in previous discussions). On 16 Sep 2015, at 15:13, Thomas Hruska wrote: > As a side note, preg_match() is my current favorite blacklist = indicator of "code with probable security vulnerabilities." I completely disagree, preg_match can work in both ways, it can do white = or black listing, as Anthony demonstrated: if (preg_match('/^[a-z0-9]+$/', $input)) { } That white lists only certain characters, anything else won't match. Craig On 16 Sep 2015, at 15:13, Thomas Hruska wrote: > On 9/15/2015 9:10 AM, Dennis Birkholz wrote: >> Hi all, >>=20 >> Am 15.09.2015 um 17:09 schrieb Craig Francis: >>> 2015-09-14 4:44 GMT+02:00 Christopher Owen = : >>>> Please consider making =91taint=92 a first-class feature/extension = in PHP 7.0. >>>=20 >>> I would echo Kalle's suggestion of 7.1. >>>=20 >>> But I think you will find it hard to get support... I was pushing = this a few weeks ago (either the one from Wietse Venema, the one from = Matt Tait, or even my own suggestion), but it seems the developers are = more interested in features that make them seem cleaver, rather than = pointing out their mistakes... >>=20 >> the problem with taint support is to get it 100% right. If you leave = one >> edge case open, who is to blame? PHP or the developer that was = totally >> confident the taint support might warn him? >=20 > You can grab the following four paragraphs and add it to whatever = documentation on taint you might use. >=20 > =3D=3D8<-------------------------- > Taint is blacklisting. >=20 > Blacklisting, in and of itself and regardless of the form it takes, is = an immediate indicator of an application that is prone to security = vulnerabilities and/or breakage that can lead to a vulnerability. >=20 > With extraordinarily rare exceptions, blacklists are never 100% = correct. Even if it can manage to reach 100% accuracy today, a = blacklist will be out of date tomorrow due to advances in the field. >=20 > While writing software being paired with a blacklist such as taint, = performing an appropriate security audit of the software is the only = truly effective approach to securing that software. > =3D=3D=3D=3D8<------------------------ >=20 > Problem solved. Also, those are ASCII scissors (in case anyone is = wondering). >=20 > As a side note, preg_match() is my current favorite blacklist = indicator of "code with probable security vulnerabilities." If taint is = added to PHP without a suitable caveat lector, it merely adds another = tool to my psychological profiling arsenal. >=20 > --=20 > Thomas Hruska > CubicleSoft President >=20 > I've got great, time saving software that you will find useful. >=20 > http://cubiclesoft.com/ >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20