Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95341 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 62927 invoked from network); 21 Aug 2016 04:39:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Aug 2016 04:39:50 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.46 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.218.46 mail-oi0-f46.google.com Received: from [209.85.218.46] ([209.85.218.46:36282] helo=mail-oi0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 91/B0-50790-59039B75 for ; Sun, 21 Aug 2016 00:39:49 -0400 Received: by mail-oi0-f46.google.com with SMTP id f189so112490938oig.3 for ; Sat, 20 Aug 2016 21:39:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=xQpQhzICEVxiQO2RGeAYv4O7GlkM1MluN8p2kySlORI=; b=fMkvWs376K17TjFutHQ3gG4xPHgE+a55k3I9gTIZOwj+Ho3lPaIAZPs5N/B7ZtB9G1 lH1tBJJ6fr+rtfgIQ1QMfYS0dyMFD7rX2m8slxE5qcTtgXyAAd2bTgQhfuVhpjqxD8vI tt+SwD76e8Tt3Xl5gRoiY3Hlau7fw5vzrHupTac/obk95bF9JeVAJ7LxKsgLOEHRn4SE KnrhjgF7VZDhVPEeBYBQsGL/hN8i1TWJ7x/wQie4winYxW6MkwoKUSbZbrnGxwHvqQlY wrpJFQuxuE2wQwlkNP7zrqp+LjCIV6LbLpz38VPXZgbYEFzfrO6nUCLIOEKIEqw1CpsU L+MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=xQpQhzICEVxiQO2RGeAYv4O7GlkM1MluN8p2kySlORI=; b=lHrOCQXWl2E8uFS2RLB/pyMluOI0RIwIXgwMRjUuqFq9Sp3ihb8L+uc+5emBx8KCL2 5XbiQhS99ypypS+AiCZ+RTPkCapSK8zYvKidaAGWjIHo1ZXtPgR6r6HBs4wHMlWfpY81 tbmmGTVP21c5LGJegGRHRth7QDcPZWRm+NhGcaAU8iaag3B5LKbRJ7wAlpfcYdnwU3tu yTxS/zyI19fnHIvmByFkn5QiwN3sX1kRwACNbA5rSiJslwa+i7inAwKou7hw7aIXPgCw U6LG/y5j9x09CLovD/Wf93KNLhrQba7hHTqkWgRSLb5u8+fA4BG1/DGGRdWMDlWzIj0b 3XKQ== X-Gm-Message-State: AEkooutb30WsFP7QOD7t/X2AhI9eXn3vji0s9wvQ0Xl9DA+6WWC2ArGirYPAsu2Mu9guLQ== X-Received: by 10.202.56.85 with SMTP id f82mr8309282oia.107.1471754386822; Sat, 20 Aug 2016 21:39:46 -0700 (PDT) Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id p35sm8523787otp.40.2016.08.20.21.39.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 20 Aug 2016 21:39:46 -0700 (PDT) To: Yasuo Ohgaki References: <7795ca21-bd70-fe65-9519-af95fdfee33f@gmail.com> <40279244-a1ba-2680-8a14-89708bcd1852@gmail.com> Cc: Marco Pivetta , Dan Ackroyd , PHP Internals List Message-ID: <267d257c-a093-d25b-02ea-737b535fa1e2@gmail.com> Date: Sat, 20 Aug 2016 21:39:39 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > It's possible to design web pages/services to "unknown clients", but > it's exceptional cases. No, it's not. Every service exposed to the internet is for unknown clients. > Almost all systems have intended clients. If protocol is HTTP/HTTPS, > developers may reject strange data that cannot be right for > HTTP/HTTPS. Even higher level than PHP does this. i.e. HTTP servers > will rejects malformed and/or prohibited request and terminates > execution. Web Application Firewall does more fancy things and True, because we can have no PHP business logic that can work on HTTPS level. We can have PHP business logic that works on PHP level though. > validate/check, in general. IMHO, use of WAF is more burden and > costly than the input validation that I'm proposing. I'm not sure where WAF comes in - these are two completely different uses. > Web application developers have right to define "valid" inputs. ("have > right" does not mean "can do anything") PHP script termination for > invalid input is just one of terminations. It's nothing special. You can perfectly well have your app do anything you like - including termination - on filter failure. I don't see how it necessitates making new set of filters though? > I think your premise is "Show nice error message for any errors, > proceed as normal case". (Handle invalid/insane data just like mistakes) > > My premise is "Shouldn't show nice messages to attacker, terminate as > abnormal case". (Treat them as attack or serious system bug) > > It's design choice. Either way is possible. Sure, and it's possible with current filters too. If the check fails, and you want to terminate, what prevents you from doing: if(!filter_var($var, FILTER_VALIDATE_INT) === false) { exit(); } Am I missing some important point here? -- Stas Malyshev smalyshev@gmail.com