Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94131
Return-Path: <walterp@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60749 invoked from network); 19 Jun 2016 17:49:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jun 2016 17:49:05 -0000
Authentication-Results: pb1.pair.com header.from=walterp@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=walterp@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.48 as permitted sender)
X-PHP-List-Original-Sender: walterp@gmail.com
X-Host-Fingerprint: 209.85.213.48 mail-vk0-f48.google.com  
Received: from [209.85.213.48] ([209.85.213.48:33093] helo=mail-vk0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7B/42-18862-E0BD6675 for <internals@lists.php.net>; Sun, 19 Jun 2016 13:49:02 -0400
Received: by mail-vk0-f48.google.com with SMTP id d185so171683604vkg.0
        for <internals@lists.php.net>; Sun, 19 Jun 2016 10:49:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=VAr5dmL31bIFOkNMYvEx3/zLsJ5gOFii5u29slB2krY=;
        b=wXulSO4iSYoMCK9XBJ4ANGP9BCJmyPrZEM1EifksMBDOuXGlKidFaxgvGX/v1mP7Gz
         RhH42vr9ivqsxJMNPW5HJCMP60DE1Kn2N3dxN9WDeo1mq4pnjct9lnyen+IK3lCdE5cP
         WyV/DMsAzmGDEq0dU+hPDGvXZf2PMotkz/Rxk90HnV7Qgh33QOaeOJDNpkMfHANpoDd9
         6NjHvlqDS4q+UFSuXfGUb2cA1Bi6UVYnYAANDxSxTez0DVlnTIsUz5g5fzDh6ALOnkAw
         5JB3btP61J43Ax3HdKWkWI19PPR4Gp1VYM564zZps1dv+MU1G6zuTkyykt4V7v2sCBSl
         59/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=VAr5dmL31bIFOkNMYvEx3/zLsJ5gOFii5u29slB2krY=;
        b=hzThegHNScGYvAsltrO9kBXpIF6SsLgQnwkFruqWD1G4bwPYVjhn/7DZmjzItOQ1Hc
         5jX3dgTJkNdJLYMx4OCzMrIVuAltUiXBw1VQ4h3qhJEUkwhGHB1l/z8YAzdmZRMjPUKU
         KObhNEGkAOStuQkNDVMEdBwAHqfQ57bjXfMzNKAecvHBaBfHPDbVSuF9VoNkO2EoUtVD
         yYZIyn4iJ7kDgkDoEI9zy0Dz6ZRvhLPniD1lgciMosVGVAYZv2fhY3SBml5Ha34HfD5p
         C1SZu6LQanmc7GS3uBXkGYxRLkGq2CuoujcT+dSz5NXleWk5h8mRT4wqJUPSfxjY0WlG
         vuJw==
X-Gm-Message-State: ALyK8tIDVnmCFnYaWfH9h2TU4jGyzDa4OHkLhwtmFnPgUty5DMSafHUZyqV5AhyRlS6a9a+PH2SYG0zrac0TDQ==
X-Received: by 10.31.5.143 with SMTP id 137mr5079565vkf.48.1466358539716; Sun,
 19 Jun 2016 10:48:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.108.135 with HTTP; Sun, 19 Jun 2016 10:48:57 -0700 (PDT)
In-Reply-To: <CAKws9z3UyQxiXpC8Jbv5tf6guzn+pgdp76B49ZsUdS08s-Jtaw@mail.gmail.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
 <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
 <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
 <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
 <57665E36.60302@lsces.co.uk> <CADyq6sKPDtC5Q=OV7D5qQF2W6XgJCyKXpatU0KB=StveXA8pdw@mail.gmail.com>
 <5766D311.6030503@lsces.co.uk> <CAKws9z3UyQxiXpC8Jbv5tf6guzn+pgdp76B49ZsUdS08s-Jtaw@mail.gmail.com>
Date: Sun, 19 Jun 2016 10:48:57 -0700
Message-ID: <CAMPTd_A86iCrytrHwp87GyjLU8FX+BbLsdREOpNfUc=_McRMow@mail.gmail.com>
To: Scott Arciszewski <scott@paragonie.com>
Cc: Lester Caine <lester@lsces.co.uk>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1143ccf0df8e610535a533b1
Subject: Re: [PHP-DEV] New escaped output operator
From: walterp@gmail.com (Walter Parker)

--001a1143ccf0df8e610535a533b1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

From your story Scott, it looks like the failure was bad input filtering,
not input filtering in general. If sites are really trying to be secure,
they should follow both Lester's and your ideas and filter on input and
escape on output.

Given your second link the better suggestion is to stop taking raw HTML.
Assuming user generated HTML is ever safe to re-render in an output page
has been a bad idea for years. Ebay/paypal once thought that stripping all
letters and numbers from JavaScript was enough to make it safe, it wasn't.
Somebody used just things like (){}[]=3D+ to build functional attack script=
s.

While a simple method of output escaping seems like a good idea, I agree
with the others that point out that is one of those security systems where
getting it 90% correct is worse that not doing anything at all. Things like
this will cause people to be blindsided when the uncaught escapes cause the
next major security problem.


Walter

On Sun, Jun 19, 2016 at 10:28 AM, Scott Arciszewski <scott@paragonie.com>
wrote:

> On Sun, Jun 19, 2016 at 1:14 PM, Lester Caine <lester@lsces.co.uk> wrote:
>
> > On 19/06/16 10:01, Marco Pivetta wrote:
> > > This basically means that you lack basic understanding of how escapin=
g
> > and
> > > user input are to be handled.
> > > Most apps out there about getting a bunch of text from the user, then
> > > rendering it somewhere else in the app.
> > > Cleaning user input just leads to frustration and a big mess in most
> > > scenarios, which is why we're all talking about escaping output
> instead.
> > > This is not "cleaning" either, it's escaping, which is a
> non-destructive
> > > and reversible operation (which is why it works so well).
> >
> > Well we have to disagree ... simply expecting htmlspecialchars() to fix
> > all your problems without proper handling of the input text is 'the big
> > mess' and there is NO need to simply slap htmlspecialchars() onto
> > properly built data so the idea that <?=3D should automatically add it =
is
> > totally pointless!
> >
> > --
> > Lester Caine - G8HFL
> > -----------------------------
> > Contact - http://lsces.co.uk/wiki/?page=3Dcontact
> > L.S.Caine Electronic Services - http://lsces.co.uk
> > EnquirySolve - http://enquirysolve.com/
> > Model Engineers Digital Workshop - http://medw.co.uk
> > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> =E2=80=8BLet me tell you a story.
>
> Once upon a time, WordPress decided to escape user input to protect again=
st
> XSS attacks. Then this happened: https://klikki.fi/adv/wordpress2.html
> (Stored XSS via MySQL Column Truncation vulnerability.)
>
> Escaping against XSS attacks should happen on output, not on input. Dead
> stop.
>
> You MAY cache the escaped output for performance gains, but keep the
> unescaped data in the database in case you need to adjust your escaping
> strategy without mangling existing data.
>
> Further reading:
>
> https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-=
everything-you-need-know
> =E2=80=8B
>
> Scott Arciszewski
> Chief Development Officer
> Paragon Initiative Enterprises <https://paragonie.com/>=E2=80=8B
>



--=20
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandei=
s

--001a1143ccf0df8e610535a533b1--