Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95227
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 58528 invoked from network); 16 Aug 2016 09:01:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Aug 2016 09:01:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.20 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.17.20 mout.gmx.net  
Received: from [212.227.17.20] ([212.227.17.20:53001] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 48/A2-36656-D66D2B75 for <internals@lists.php.net>; Tue, 16 Aug 2016 05:01:34 -0400
Received: from [192.168.2.103] ([79.243.112.54]) by mail.gmx.com (mrgmx102)
 with ESMTPSA (Nemesis) id 0Lg6op-1ap01M2unD-00pbdb; Tue, 16 Aug 2016 11:01:27
 +0200
To: Stanislav Malyshev <smalyshev@gmail.com>,
 Tony Marston <TonyMarston@hotmail.com>, internals@lists.php.net
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com>
 <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <90.51.36656.0C0A1B75@pb1.pair.com>
 <0cb4db8b-0130-5ba6-6954-d3132345aec3@gmx.de>
 <3f4ee584-0f69-cbaa-4ae5-52670fe4d4c9@gmail.com>
Message-ID: <1c43f0c1-18da-c25d-3bc3-0f57813cacb0@gmx.de>
Date: Tue, 16 Aug 2016 11:01:40 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <3f4ee584-0f69-cbaa-4ae5-52670fe4d4c9@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:v6+DBAMrWGltf19vJ4LiDKQwWQMLE0Z/hmomWsbv/A7pMC46Qbl
 rbnrS1rTiYOjSLMMbHciz95cfnC0aU6uQnV58CoXhwrYZl9Uk8fVzrzUFtylrE9C4D3XM+s
 AJwMjmEdGt2UFlJ5sIAkObvwmDYxJR51UpBLT8g8xkntPNIcQQNfHBJNJ5CzkN/495dNPR2
 nmI/RzJuQ5nivNwPYIjHA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:jFqenAzuYlQ=:OnvCIQTEx207j1q+5JINVo
 SVi4akRlfVPoikDwlqUcG4AyrINIeYambS5cz2gv7pRHQjWN7GJKrH2wFj+DwRVTGRm5KfMQL
 sdYt0PGQt9dv6TgAhpMD+GpIfellL4gQtgTgVQJq1p6+lfamFw1Veeg71BgAFAXvSaaEosnSw
 xMGDl6kv4oes7ZSRseUaLAKgU2zEomEOpbrm7EQmvIpOT/oJpKUIahAqAgf4dqCiMita5Oab6
 OgZW0CftYV7tZ60QUCZyRrEytkM8e0ERKpdLXlYrYSMoiDFJ49hbJ1te0ZKC/NBjU4g/BgMm6
 1QBY5b93DQAKuDlggfe9A5bXkYBoa8YQkPGSyDHlmbO2o0NdiP4qOgIRf1ppCo50surG3h3K/
 Q9cJERQ1qn1cpgelbdSQd/PJNb9svec7tYEZrC569pJ2rSBdjcPO948O4H+1x+qUujiRSc/yG
 FyNRi7DMTUQRfJg/Wpyav9EjUxdvDo9aJBu06CF02+Tk7nUNpivQtXGlbfZoMXlVJ3QapluhG
 KaVtCNbUNKmshb4vvkrPqZtyrVkpHAvEBjdUFmf7ZmPMP1awoRx2NRwWx6iNIwXg6fivvYcx0
 bgD0xQvsNUFDAQxyiMlwsKdTQ8CHZveFez8RXK2IhA8jtgtXZ/B+h0fiHh1BwZX9voxaiUQMe
 27q6hqbld9kzlWZfLqrB03iHIBN//No12C1j88WXMqnwiDavgcUILnC/NAUpLHdF3watH3Y10
 aqw8lVqm3z5zuTY0XOSJQ4OxW63yLm8mRAy0txJRUy+S03nORnIs5eF6VloBXPboRXaYYyGi8
 8MCH/XG
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter
 module
From: cmbecker69@gmx.de ("Christoph M. Becker")

Hi!

On 16.08.2016 at 08:42, Stanislav Malyshev wrote:

>> Yasuo (who Dan quoted here) refers to completely invalid input, such as
>> invalid UTF-8 byte sequences.  I think, that in this case the app should
>> bail out without even given detailed information, as such grossly
>> invalid input most likely is an attempt to attack (or a severe browser bug).
> 
> I personally am not a big fan of "bail out without giving information",
> unless that information somehow crosses security boundary (e.g.
> displaying PHP error messages in production) or reveals unnecessary info
> (this part is super-tricky in crypto, but ouside of crypto common sense
> is usually not a bad guide).
> 
> <snip>
> 
> Now, how much easier your life would be if you app would just report
> "invalid UTF-8 sequence encountered in parameter FirstName" before
> bailing out? How many hours, pulled out hairs and 4am sessions would it
> save? I think it's worth considering.

I once introduced a check erroring with "Malformed UTF-8 detected" to a
CMS.  Until that was changed to "Bad request. Please <a href=".">try
again</a>.", we got a lot of support requests from confused users who
had bookmarked URLs with ISO-8859-* query strings.  Even pointing out
which parameter was the culprit, wouldn't have changed that, I presume.

Of course, it makes sense to *log* very detailed information in this
case (amongst others, the byte sequence that was malformed), but
presenting them to visitors doesn't seem to be helpful – most of these
wouldn't even know what UTF-8 is.

-- 
Christoph M. Becker