Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95522
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86990 invoked from network); 31 Aug 2016 19:46:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Aug 2016 19:46:19 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:39692] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F1/00-20135-60437C75 for <internals@lists.php.net>; Wed, 31 Aug 2016 15:46:17 -0400
Received: (qmail 12037 invoked by uid 89); 31 Aug 2016 19:46:09 -0000
Received: from unknown (HELO mail-qt0-f177.google.com) (yohgaki@ohgaki.net@209.85.216.177)
  by 0 with ESMTPA; 31 Aug 2016 19:46:09 -0000
Received: by mail-qt0-f177.google.com with SMTP id 93so31064430qtg.2
        for <internals@lists.php.net>; Wed, 31 Aug 2016 12:46:09 -0700 (PDT)
X-Gm-Message-State: AE9vXwMdVQKNoz2/1xYQVuefOOAcdetM3796JLM2RzO5RfgN52D5CqTImR88AcLJk+WIfVMdYgzjmlm/XbFNnQ==
X-Received: by 10.237.53.206 with SMTP id d14mr13236795qte.83.1472672763487;
 Wed, 31 Aug 2016 12:46:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Wed, 31 Aug 2016 12:45:22 -0700 (PDT)
In-Reply-To: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
Date: Thu, 1 Sep 2016 04:45:22 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaA+uvh_wpRAHeiv+Xb-JOrTAkyoe3jzq3FVCEbfja_5w@mail.gmail.com>
Message-ID: <CAGa2bXaA+uvh_wpRAHeiv+Xb-JOrTAkyoe3jzq3FVCEbfja_5w@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

On Mon, Aug 15, 2016 at 9:15 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
> This RFC is to add functions that are suitable for input validations
> for secure coding. IMHO, these additions are mandatory for PHP.
>
> https://wiki.php.net/rfc/add_validate_functions_to_filter
> Vote ends 2016/08/22 23:59:59 UTC
>
> I don't mind suspend vote and continue discussion if there is issue.
> It's rather long RFC. Thank you for reading and voting!

Thank you for voting!
The RFC is declined 1 vs 13
A bit surprised this result.

I requested the reason of objection, but many of them does not disclose why.

https://wiki.php.net/rfc/add_validate_functions_to_filter#proposed_voting_choices
bwoebi (bwoebi)
colinodell (colinodell)
danack (danack)
derick (derick)
diegopires (diegopires)
guilhermeblanco (guilhermeblanco)
kguest (kguest)
levim (levim)
lstrojny (lstrojny)
marcio (marcio)
nikic (nikic)
ocramius (ocramius)
peehaa (peehaa)
santiagolizardo (santiagolizardo)


I would like to summarize objection points during discussion.
I assume above of us voted no for these reasons.

0. Input data validation cannot be done because client can be anything.
1. Input data validation should show what's wrong, not exception.
2. Input data validation error and input mistake error should be treated
    by the same code to remove code redundancy.
3. Current filter module is good enough.

IMO. These are clearly wrong reasons of objection.

0. Almost all input data can be validated because of
     - Web standards. e.g. Almost all form input must be "valid string".
     - Client side validation. e.g. JS, HTML5.
     - Many parameters are set by program and shouldn't be changed.
       e.g. Select, radio, hidden, database record ID.

1. Showing what's wrong in input validation is _ANTI_ practice of security.
    - Developers should _NOT_ show error details unless it has to, otherwise
      it helps attackers to tamper system.
    - "You have broken encoding", "You have unallowed CNTRL char", etc, are
      the same as "You have entered wrong user name", "You have entered
      wrong password", "You have entered too long password", etc.

2. This is not reasonable choice for large applications that have higher
    security requirements.
    - Strict input validation should check all inputs including request
      headers and cookies. Checking these in business logic makes
      things messy and complicated, hence easy to make mistakes.

3. Current filter module does not work for strict validations.
    - I don't repeat. It just does not work well for strict validation.

(NOTE: "input validation" is "the input validation" mentioned in the RFC)

If you have question, I don't mind at all to explain more. I think most of
you misunderstood the concept.

If you have other reason(s), please let me know to improve RFC.
Thank you!

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net