Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95245
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21959 invoked from network); 16 Aug 2016 23:17:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Aug 2016 23:17:10 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:33982] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6A/90-18246-5FE93B75 for <internals@lists.php.net>; Tue, 16 Aug 2016 19:17:10 -0400
Received: (qmail 6996 invoked by uid 89); 16 Aug 2016 23:17:05 -0000
Received: from unknown (HELO mail-qk0-f175.google.com) (yohgaki@ohgaki.net@209.85.220.175)
  by 0 with ESMTPA; 16 Aug 2016 23:17:05 -0000
Received: by mail-qk0-f175.google.com with SMTP id z190so54469169qkc.0
        for <internals@lists.php.net>; Tue, 16 Aug 2016 16:17:05 -0700 (PDT)
X-Gm-Message-State: AEkoouvCWcEfzgC+V50gPlhykRdqErnfnfjzLx8cyvKP0I4Wpx+keweJBpSEc3P+eNy3u6q6HFBIHJta43hAfQ==
X-Received: by 10.55.130.130 with SMTP id e124mr20490027qkd.51.1471389419711;
 Tue, 16 Aug 2016 16:16:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Tue, 16 Aug 2016 16:16:19 -0700 (PDT)
In-Reply-To: <1c43f0c1-18da-c25d-3bc3-0f57813cacb0@gmx.de>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com>
 <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <90.51.36656.0C0A1B75@pb1.pair.com> <0cb4db8b-0130-5ba6-6954-d3132345aec3@gmx.de>
 <3f4ee584-0f69-cbaa-4ae5-52670fe4d4c9@gmail.com> <1c43f0c1-18da-c25d-3bc3-0f57813cacb0@gmx.de>
Date: Wed, 17 Aug 2016 08:16:19 +0900
X-Gmail-Original-Message-ID: <CAGa2bXacnjZ1en5Fp3SX_7RmHbmtzEhEtBGXrfQZNrc40=q5Xw@mail.gmail.com>
Message-ID: <CAGa2bXacnjZ1en5Fp3SX_7RmHbmtzEhEtBGXrfQZNrc40=q5Xw@mail.gmail.com>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, Tony Marston <TonyMarston@hotmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Christoph,

On Tue, Aug 16, 2016 at 6:01 PM, Christoph M. Becker <cmbecker69@gmx.de> wr=
ote:
> On 16.08.2016 at 08:42, Stanislav Malyshev wrote:
>
>>> Yasuo (who Dan quoted here) refers to completely invalid input, such as
>>> invalid UTF-8 byte sequences.  I think, that in this case the app shoul=
d
>>> bail out without even given detailed information, as such grossly
>>> invalid input most likely is an attempt to attack (or a severe browser =
bug).
>>
>> I personally am not a big fan of "bail out without giving information",
>> unless that information somehow crosses security boundary (e.g.
>> displaying PHP error messages in production) or reveals unnecessary info
>> (this part is super-tricky in crypto, but ouside of crypto common sense
>> is usually not a bad guide).
>>
>> <snip>
>>
>> Now, how much easier your life would be if you app would just report
>> "invalid UTF-8 sequence encountered in parameter FirstName" before
>> bailing out? How many hours, pulled out hairs and 4am sessions would it
>> save? I think it's worth considering.
>
> I once introduced a check erroring with "Malformed UTF-8 detected" to a
> CMS.  Until that was changed to "Bad request. Please <a href=3D".">try
> again</a>.", we got a lot of support requests from confused users who
> had bookmarked URLs with ISO-8859-* query strings.  Even pointing out
> which parameter was the culprit, wouldn't have changed that, I presume.
>
> Of course, it makes sense to *log* very detailed information in this
> case (amongst others, the byte sequence that was malformed), but
> presenting them to visitors doesn't seem to be helpful =E2=80=93 most of =
these
> wouldn't even know what UTF-8 is.

Excellent example of input validation exception!
Software has history, therefore certain validation cannot be done automatic=
ally.

For the record, many security standards/guides require to "Canonicalize"
input data _before_ input validation. If anyone would like to validate
"String", canonicalize first.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net