Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95721
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75357 invoked from network); 7 Sep 2016 09:19:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Sep 2016 09:19:41 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6
Received: from [217.147.176.214] ([217.147.176.214:44703] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 80/19-18051-BABDFC75 for <internals@lists.php.net>; Wed, 07 Sep 2016 05:19:40 -0400
Received: (qmail 17219 invoked by uid 89); 7 Sep 2016 09:19:36 -0000
Received: by simscan 1.3.1 ppid: 17213, pid: 17216, t: 0.0954s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 7 Sep 2016 09:19:36 -0000
To: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXaA+uvh_wpRAHeiv+Xb-JOrTAkyoe3jzq3FVCEbfja_5w@mail.gmail.com>
 <232F1604-2211-4351-B830-EDC958A25D6D@strojny.net>
 <CAGa2bXb2y4afY28rwdcjgxUEkr41ZPMMdj4dUtMDVtJLBONAbA@mail.gmail.com>
 <2de35db0-9974-cc96-83dd-3d2dbd48f7f8@lsces.co.uk>
 <CAGa2bXYG1Or9+SGf3Rm4Yi5KUQ1mwnffTSSzuwARpy4bFfXB=w@mail.gmail.com>
 <5b72e9da-068a-bc79-82c2-f36f723f42bb@gmail.com>
 <819abe3a-5bfc-773a-025d-edfe92961a3a@lsces.co.uk>
 <CAGa2bXbovo-S+MA16tKTpV9zD=kOmqnKA+hBqKNVG-WSVix7fw@mail.gmail.com>
 <3ac96216-51a9-305d-2500-083cb5905e5a@lsces.co.uk>
 <CAGa2bXZ59nwh-Gax-gaScLYCdUjp+cytjKDs1cVY=uBu99+TLg@mail.gmail.com>
Message-ID: <8bd021c1-47a6-280c-2db5-1a44788be2a3@lsces.co.uk>
Date: Wed, 7 Sep 2016 10:19:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZ59nwh-Gax-gaScLYCdUjp+cytjKDs1cVY=uBu99+TLg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module
From: lester@lsces.co.uk (Lester Caine)

On 06/09/16 23:57, Yasuo Ohgaki wrote:
> It may differ from your software security model. Programmers are free
> to choose which model to adopt. However, one shouldn't disturb
> mandatory tool implementation for recommended security model by secure
> coding specialists, IMHO. If you don't like/need it, it's free not to using
> it after all.

My security model is no different to yours. But in my model 'Add
validation functions to filter module' is adding another layer of checks
and I think I'm simply adding them in a different place.

I return to the original question which has not yet been answered. The
block of input data being supplied from what ever source needs to be
converted to a set of variables in PHP. That could be variables in a
class, an associative array as in $_POST or simple variables which are
probably ancient history now. If the definition of a variable is
improved to include ALL of the validation we ideally need and I include
setStrict(int) in that then at run time we can both validate input and
decide on the error model that is applied. I think DbC is a wrapper at
the development level as you describe it and we are back at the
'annotation' debate. What I'm still looking for is primary annotation
such as 'strict' if appropriate although I would look at that as
'between 0 and 200' rather than expecting a clean binary integer to be
supplied via some interface.

I can use the annotation information to build the browser side
validation, and know that I'm working with the same set of rules, and I
would also include escaping rules so that the general string data can
manage if material of a suspect nature is being processed. Such as
WRITING the script files that are needed to output the elements that a
blanket htmlentities() filter would block! If one is building template
and javascript packages of code in the database then you need to filter
the malicious stuff before saving them and ensure the stored data is clean.

I could envisage loosening the validation checks on a secure private
network where malicious activity would be a firing offence, but the sort
of layer of security I'm looking at should not introduce any more delay
than the normal. The way it falls down is if people can't be bothered to
set the validation values up ... or create your filter array. Default
rules such as your crude filters are a point for discussion.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk