Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95556
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83433 invoked from network); 2 Sep 2016 10:13:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Sep 2016 10:13:11 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:44295] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 20/13-19490-B8059C75 for <internals@lists.php.net>; Fri, 02 Sep 2016 06:12:33 -0400
Received: (qmail 10634 invoked by uid 89); 2 Sep 2016 10:12:23 -0000
Received: from unknown (HELO mail-qk0-f178.google.com) (yohgaki@ohgaki.net@209.85.220.178)
  by 0 with ESMTPA; 2 Sep 2016 10:12:23 -0000
Received: by mail-qk0-f178.google.com with SMTP id t7so112722947qkh.1
        for <internals@lists.php.net>; Fri, 02 Sep 2016 03:12:22 -0700 (PDT)
X-Gm-Message-State: AE9vXwNSSA1ySY5o7MqM/Hv2Ce+b2tH0dHyJ5qT+a8dttdOGpE90xDqtCvikkzV8xCuGqtcijYP+79OouIAiww==
X-Received: by 10.55.95.71 with SMTP id t68mr22633210qkb.61.1472811136639;
 Fri, 02 Sep 2016 03:12:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Fri, 2 Sep 2016 03:11:35 -0700 (PDT)
In-Reply-To: <2de35db0-9974-cc96-83dd-3d2dbd48f7f8@lsces.co.uk>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXaA+uvh_wpRAHeiv+Xb-JOrTAkyoe3jzq3FVCEbfja_5w@mail.gmail.com>
 <232F1604-2211-4351-B830-EDC958A25D6D@strojny.net> <CAGa2bXb2y4afY28rwdcjgxUEkr41ZPMMdj4dUtMDVtJLBONAbA@mail.gmail.com>
 <2de35db0-9974-cc96-83dd-3d2dbd48f7f8@lsces.co.uk>
Date: Fri, 2 Sep 2016 19:11:35 +0900
X-Gmail-Original-Message-ID: <CAGa2bXYG1Or9+SGf3Rm4Yi5KUQ1mwnffTSSzuwARpy4bFfXB=w@mail.gmail.com>
Message-ID: <CAGa2bXYG1Or9+SGf3Rm4Yi5KUQ1mwnffTSSzuwARpy4bFfXB=w@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Lester,

On Fri, Sep 2, 2016 at 5:42 PM, Lester Caine <lester@lsces.co.uk> wrote:
> On 02/09/16 01:25, Yasuo Ohgaki wrote:
>> I don't understand why new validator would cause more problems than
>> solving. If users validate all inputs (e.g. request headers, cookies,
>> all of post/get tampering), apps became much more secure. This task
>> does not belong to business(app) logic. Even when users use the
>> validator non optimal way, it will improve security.
>
> The whole problem with that statement is at what point do you
> distinguish between an input being invalid because it does not meet some
> validation such as bigger than X for 'validation' reasons rather than
> 'business logic' reasons. STILL in my book, it's the business logic that
> defines the base validation but I don't need DbC as a straight jacket to
> define that. Adding additional 'woolly' validation checks around the
> base validation is a pointless exercise if the rules of the base
> validation are available to use.

Security purpose input validation (injection prevention mainly)
differs from what business logic does. Business logic should
focus on logical correctness while input validation should focus
on security.

I've audited number of MVC applications and have to admit that
input validations in models are _poor_. Besides input validation
should be done ASAP, model validation is very poor in many cases.
i.e. Not good enough for security purpose.

This is _natural_ because what business logic should take care is
"Logic", not what data should look like, data have correct encoding,
make sure request headers/cookies/post/get are not tampered, etc.

Taking care of tampered data by business logic will reduce both
readability and maintainability. And more importantly, make code
less secure because programmers tend to focus on logic
in model, not input data validations.

Validations in model being less secure is proven already.
It is not a surprise since model is for "business logic".
(If app requirement is ok with validation with model, it's ok to
design so. Not all apps should have ideal secure coding.)

Why shouldn't we have more secure validation?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net