Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95281 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56739 invoked from network); 18 Aug 2016 01:34:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Aug 2016 01:34:14 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.67 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.67 mail-pa0-f67.google.com Received: from [209.85.220.67] ([209.85.220.67:33597] helo=mail-pa0-f67.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/F4-23968-59015B75 for ; Wed, 17 Aug 2016 21:34:13 -0400 Received: by mail-pa0-f67.google.com with SMTP id vy10so505369pac.0 for ; Wed, 17 Aug 2016 18:34:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=j5sFZpKUwYxr1a8kQrlrYlsmSFVyrIdxBQOoEDhJe08=; b=bZnhTp58zNl7TigzA1UZ+mM7GNzTOJuINgWRVihsvvuBChsJd7O9C1IvTL4MEXMFB2 chzDFaT7Nk6yFhUWmLHOG7e9khR5l1mL94kjfxyRA5CsI6+4UmL9pNE3mZ1DQ43hxq7F s8gKEKtjZcFw1Cm5RXNGsJzXRoZ+asRSUnnshFXSIXw3r6Vk7VfHvCiXtpxL0pJDh+5I OFqv2MMbsHvTVjc4Vd/RVZSMFrIX3CgAoSd/excur6FzYMyWQmhicxbxe1IZA16fJXjw 9WKMrFvLuCPQJPM9IUdqDq4xFHOfu2/vaxISsz79E3diCBl6Ij+BJY4lfBGkZRSgBeCX hcJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=j5sFZpKUwYxr1a8kQrlrYlsmSFVyrIdxBQOoEDhJe08=; b=erugzqBVcZfU2A9/OQtKT2ABx8spW8mRvCxvEBSLi7ufe+PH8oZPq4szJdTZm0lkjr aR7XvF1n4ljlp8nuP/9lafYjtcxMMLe0rq8k2TGArW5vAAM9fOevIotsFwlemQP3aopG lt9DphMZ8ezvMijcPjq6J+kiVMwBffkxBk1UVYrjJsVFkLxP+Z6nzyv76jW+W15o5g9P GZVODcYr+cWxJaMzYJozTOZHXQ5KEffAY2Ymuxs17tCzroebRb9hO94c7czc6MI5mC/U 2YXWTt+A/MWUuuHTk6QjBT72o+Nt6b0A9UpWOe4xOEeuq1Nc3GfU1qRPrr80hyL4I8SW iTTg== X-Gm-Message-State: AEkoouuNZqQi3fpx2iSSdFI3rD8OI2TS9csie+gRNGX5G+o3bcv7bx4N8C3IF4MTwSiLCA== X-Received: by 10.66.21.167 with SMTP id w7mr79421773pae.62.1471484050555; Wed, 17 Aug 2016 18:34:10 -0700 (PDT) Received: from Stas-Air.local ([216.216.202.69]) by smtp.gmail.com with ESMTPSA id e72sm50026088pfb.49.2016.08.17.18.34.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Aug 2016 18:34:09 -0700 (PDT) To: Yasuo Ohgaki References: <7795ca21-bd70-fe65-9519-af95fdfee33f@gmail.com> Cc: Marco Pivetta , Dan Ackroyd , PHP Internals List Message-ID: <40279244-a1ba-2680-8a14-89708bcd1852@gmail.com> Date: Wed, 17 Aug 2016 18:34:08 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > I think you wrote your JavaScript code to impose certain format for "date", > "phone", "zip", etc. It's not my JavaScript code, but your JavaScript code > that defines output of browser to your PHP web apps. There are a lot of use cases that don't have Javascript (or browser, for that matter) frontends. Not that it should matter, as browser is not under your code's control, it's under user's control, and you never know on the PHP side if such thing as browser exists at all. > Accept means that allow program to process input data. (continue execution) Then we disagree here. I strongly object to the notion that the program should stop execution at any unexpected data. This is only marginally better than crashing, and is not very helpful behavior. Modern application is expected to handle data in a more intelligent manner. > If your JavaScript date picker uses "YYYYMMDD" format (date like > 20160817) for a date, anything other than "YYYYMMDD" format is > attacker tampered inputs. You keep returning to Javascript. What I am asking you to consider is that we're not talking about Javascript, we are talking about PHP, and PHP has no relation to Javascript date picker. Some apps use Javascript date pickers, true, but there is a whole world of applications that do nothing of the sort. Javascript does not add much to the picture here. > It may be considered "valid input" means expected inputs from _legitimate_ > users. Anything other than "valid input" should not be accepted because > they come from non legitimate users. i.e. attackers. > > - Broken encoding > - CNTRL chars > - Bad format ( YYYYMMDD is the format for this case ) > - Too long or short ( Exactly 8 chars is the length for this case ) > - and so on > > are examples of invalid inputs. I think this has a smell of blacklisting, which is always almost wrong approach to dealing with data filtering/validation. Blacklists almost always lose to whitelists. If you have a whitelist filter that validates the data, you don't need to worry about chars, lengths and such separately. However, there's nothing here that requires the whitelist filter would bring down the app on failure. It should tell the business logic "this string you gave me is not a valid date" and business logic should deal with it. There's nothing special here in encodings, control chars, etc. that I can see that needs any special handling. > It may increase your work, but you'll get less risks in return. I don't see how. I can write intelligent code that produces helpful messages and be the same - in fact, more, see above about whitelisting - robust than blackbox code that explodes on bad inputs. > The input validation only reject invalid input. > > If you use plain for "date", then you should consider any valid > UTF-8 without CNTRL chars up to 100 char or so, not "YYYYMMDD". > (Assuming UTF-8 is the encoding) But why? If I just check for YYYYMMDD I automatically get all invalid UTF-8 etc. rejected, without even thinking about it. > Software design is upto developers. There are many softwares that do > not follow best practices. Nobody enforce to use the validator as I > explains. It's okay to me this is used by only users who need. As I > mentioned, ISO 27000/ISMS requires this kind of validations, not few > users may need this. I'm not sure what ISO says there, but I'm pretty sure ISO does not specify which exactly code you should use to validate your inputs. The objections are not about validating inputs as a concept, nobody would object to that, it's to specific model of doing this that you propose - namely, doing two separate validation passes, doing blacklisting and bailing out on validation failure. At least I would not do input validation in this manner. -- Stas Malyshev smalyshev@gmail.com