Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89257
Return-Path: <christopher.owen@live.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67046 invoked from network); 17 Nov 2015 07:34:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Nov 2015 07:34:14 -0000
Authentication-Results: pb1.pair.com header.from=christopher.owen@live.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=christopher.owen@live.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain live.com designates 65.55.111.81 as permitted sender)
X-PHP-List-Original-Sender: christopher.owen@live.com
X-Host-Fingerprint: 65.55.111.81 blu004-omc2s6.hotmail.com  
Received: from [65.55.111.81] ([65.55.111.81:53729] helo=BLU004-OMC2S6.hotmail.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 82/C0-57591-578DA465 for <internals@lists.php.net>; Tue, 17 Nov 2015 02:34:14 -0500
Received: from BLU436-SMTP73 ([65.55.111.72]) by BLU004-OMC2S6.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
	 Mon, 16 Nov 2015 23:34:11 -0800
X-TMN: [YNvoMH8kvRGWuxh7uABw5Gkf1Ug7BsCW]
X-Originating-Email: [christopher.owen@live.com]
Message-ID: <BLU436-SMTP730532C38D3C8FF2B9C983E91D0@phx.gbl>
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
In-Reply-To: <827FEAD0-30B5-45AB-B7D7-93E4C6611BE5@craigfrancis.co.uk>
Date: Tue, 17 Nov 2015 01:34:06 -0600
Content-Transfer-Encoding: quoted-printable
References: <BLU437-SMTP762BF68D5F013E39BF6AC6E95D0@phx.gbl> <CAJW__o3mCdAdm=jaLpLCSpWC4ekmc98CszcUKNr98qu5JgZBeQ@mail.gmail.com> <BLU437-SMTP66DB73C07E0C570EC13C4CE95D0@phx.gbl> <EBCBA455-F469-4D2A-B21A-B6EA3CE4FAEB@craigfrancis.co.uk> <55F842FE.6080502@dennis.birkholz.biz> <55F978FE.90908@cubiclesoft.com> <827FEAD0-30B5-45AB-B7D7-93E4C6611BE5@craigfrancis.co.uk>
To: Internals <internals@lists.php.net>
X-Mailer: Apple Mail (2.3096.5)
X-OriginalArrivalTime: 17 Nov 2015 07:34:09.0499 (UTC) FILETIME=[58E112B0:01D1210A]
Subject: taint as a first-class feature for php 7.1
From: christopher.owen@live.com (Christopher Owen)

Hello again php-internals.

I was the original poster of the (most recent) thread on making taint a =
first-class feature for php.

Shortly after the start of the original thread, Laruence ported the =
existing php-taint extension to php7 (thank you very much sir!).

For those of you who might like to try, I have been able to successfully =
test against php 7.0-rc7 using the following steps:

~~ build php-taint for php7

   git clone -b php7 https://github.com/laruence/taint.git php-taint
   cd php-taint
   <path to>/phpize
   ./configure --with-php-config=3D<path to>/php-config
   make && make install

and to the configuration file <path to php/conf.d>/ext-taint.ini add:

   [taint]
   extension=3D=93<path to>//taint.so"
   taint.enable =3D On

~~ Recap of discussion so far

Administrative:
- Any new feature requests should be for php 7.1 and not php 7.0
- Taint should not be written to the logs in the default configuration =
as is true for NOTICE level logs
Pros:
- Taint helps to refactor legacy/large code bases
- Taint helps to identify entire classes of programming bugs (such as =
SQL injections)
- Security experts suggest taint as a useful tool
- Including taint as a first class feature will allow for it to be =
available in future linux distribution packages of php
Cons:
- Taint could harm inexperienced or unmindful programmers; improper =
filtering of a tainted variable could be falsely validated via a taint =
feature.
- Taint may promote inexperienced programers to add bad sanitization, =
reducing their code quality.

~~ Adding to the discussion

Taint is a great feature for identifying where no sanitization is =
occurring (as opposed to incorrect sanitization).
Incorrect sanitization is not addressed by taint and can currently only =
be addressed via code audit; This situation is analogous to what taint =
will improve for the =91no sanitization=92 case.
Taint will not suggest a contextually correct sanitization, but arming a =
programmer with the knowledge of where to consider sanitization should =
at worst promote thought and will at best contribute to improved =
security globally.

The inclusion of taint does not worsen the =91incorrect sanitization=92 =
case.
The inclusion of taint does not hinder future RFCs from addressing the =
=91incorrect sanitization=92 case.

It would be fantastic to be able to call untaint() without having to =
first check if the module is loaded (as could be the case in a staging =
versus production environment configuration for example).

~~ Moving forward

As discussion seems to have died out, I would like to propose moving to =
the next stage for inclusion of taint as a first class feature of php =
7.1.

Kind regards,
 Christopher Owen.=