Late last year I started a discussion on this list with a proposal
to add Perl/Ruby-like taint support to PHP - a feature that a
developer may turn on to find out where to insert explicit cleaning
operations to avoid code injection etc. vulnerabilities. With
applications that are explicitly written to be taint ware, taint
support may also help at run-time as an additional safety net.
In the unavoidable trade-off between performance and developer
impact, this approach minimizes the performance hit; the developer
provides the explicit cleaning operations. Other taint-for-PHP
approaches make a different trade-off; they typically avoid developer
impact altogether, but come at the cost of a larger performance hit.
After a bunch of other work that needed to be done I've resumed
work on PHP and I'm currently working on a rough prototype that
supports taint in the core and in a bunch of standard built-ins.
Overhead is minimal because it's just setting and testing a few
normally unused bits in the zval structure. I expect to get some
actual performance data once the implementation is complete enough,
and to have a first implementation out the door sometime in September.
Wietse
Hi,
It seems you had an interesting idea, but AFAIK it'll not incorporated
in core by PHP Team.
Yeah, sounds bad, but you cannot simply turn all variables into
objects and try to get them.
Seems you're trying something like that:
$_GET['foo']->asString(); // echo: Bar
This will never happen, PHP will not change its behavior to fullfil it.
I already thought like you and I even spent some time to develop a
tool to simplify my job. The concept you try to implement is named
Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
again... do not tell me this is like Pokémon.
I already asked here when I was developing this feature about a
limitation PHP currently has, but this is not the current discussion.
Just to let you know, if you are thinking to do something as I already
showed you as example, forget it. If you are trying something
different, like:
taint_string( $_GET['foo'] ); // echo: Bar
Then you need to think correctly what do you want to achieve. There
are zillions of PHP applications running out there and none of them
will be converted to use taint-package.
The first example illustrate how the PHP should behavior with a taint
extension; and access the data directly: $_GET['foo'] should throw an
error.
My idea: Keep things simple and validate all your data using PHP. You
do not have to go "behind the scenes" and create a C library to
achieve it.
If you are interested, I already implemented the PokaYoke approach and
I put it available for you at:
http://blog.bisna.com/files/PokaYoke.zip
I also published the running package: http://blog.bisna.com/files/PokaYoke/
Take a look at the examples... I published the phps files if you are
lazy and do not want to download the zip file. You can incorporate the
module and keep it project specific.
My implementation was never being released to public, but it works as
expected. It's better to make a project specific feature and use it
instead of try to create a module.
Best regards,
Late last year I started a discussion on this list with a proposal
to add Perl/Ruby-like taint support to PHP - a feature that a
developer may turn on to find out where to insert explicit cleaning
operations to avoid code injection etc. vulnerabilities. With
applications that are explicitly written to be taint ware, taint
support may also help at run-time as an additional safety net.In the unavoidable trade-off between performance and developer
impact, this approach minimizes the performance hit; the developer
provides the explicit cleaning operations. Other taint-for-PHP
approaches make a different trade-off; they typically avoid developer
impact altogether, but come at the cost of a larger performance hit.After a bunch of other work that needed to be done I've resumed
work on PHP and I'm currently working on a rough prototype that
supports taint in the core and in a bunch of standard built-ins.
Overhead is minimal because it's just setting and testing a few
normally unused bits in the zval structure. I expect to get some
actual performance data once the implementation is complete enough,
and to have a first implementation out the door sometime in September.Wietse--
--
Guilherme Blanco - Web Developer
CBC - Certified Bindows Consultant
Cell Phone: +55 (16) 9166-6902
MSN: guilhermeblanco@hotmail.com
URL: http://blog.bisna.com
São Carlos - SP/Brazil
Hi,
It seems you had an interesting idea, but AFAIK it'll not incorporated
in core by PHP Team.
Yeah, sounds bad, but you cannot simply turn all variables into
objects and try to get them.Seems you're trying something like that:
$_GET['foo']->asString(); // echo: Bar
This will never happen, PHP will not change its behavior to fullfil it.
I already thought like you and I even spent some time to develop a
tool to simplify my job. The concept you try to implement is named
Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
again... do not tell me this is like Pokémon.I already asked here when I was developing this feature about a
limitation PHP currently has, but this is not the current discussion.Just to let you know, if you are thinking to do something as I already
showed you as example, forget it. If you are trying something
different, like:taint_string( $_GET['foo'] ); // echo: Bar
Then you need to think correctly what do you want to achieve. There
are zillions of PHP applications running out there and none of them
will be converted to use taint-package.The first example illustrate how the PHP should behavior with a taint
extension; and access the data directly: $_GET['foo'] should throw an
error.My idea: Keep things simple and validate all your data using PHP. You
do not have to go "behind the scenes" and create a C library to
achieve it.If you are interested, I already implemented the PokaYoke approach and
I put it available for you at:
http://blog.bisna.com/files/PokaYoke.zip
I also published the running package: http://blog.bisna.com/files/PokaYoke/
Take a look at the examples... I published the phps files if you are
lazy and do not want to download the zip file. You can incorporate the
module and keep it project specific.
My implementation was never being released to public, but it works as
expected. It's better to make a project specific feature and use it
instead of try to create a module.Best regards,
Late last year I started a discussion on this list with a proposal
to add Perl/Ruby-like taint support to PHP - a feature that a
developer may turn on to find out where to insert explicit cleaning
operations to avoid code injection etc. vulnerabilities. With
applications that are explicitly written to be taint ware, taint
support may also help at run-time as an additional safety net.In the unavoidable trade-off between performance and developer
impact, this approach minimizes the performance hit; the developer
provides the explicit cleaning operations. Other taint-for-PHP
approaches make a different trade-off; they typically avoid developer
impact altogether, but come at the cost of a larger performance hit.After a bunch of other work that needed to be done I've resumed
work on PHP and I'm currently working on a rough prototype that
supports taint in the core and in a bunch of standard built-ins.
Overhead is minimal because it's just setting and testing a few
normally unused bits in the zval structure. I expect to get some
actual performance data once the implementation is complete enough,
and to have a first implementation out the door sometime in September.Wietse--
--
Guilherme Blanco - Web Developer
CBC - Certified Bindows Consultant
Cell Phone: +55 (16) 9166-6902
MSN: guilhermeblanco@hotmail.com
URL: http://blog.bisna.com
São Carlos - SP/Brazil
Marco Tabini wrote a great article in php|Architect (Vol 5 Iss 2 Feb
2006 Pgs 16-24) on Poka Yoke.
--
Richard Quadling
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
"Standing on the shoulders of some very clever giants!"
Hi,
It seems you had an interesting idea, but AFAIK it'll not incorporated
in core by PHP Team.
Yeah, sounds bad, but you cannot simply turn all variables into
objects and try to get them.Seems you're trying something like that:
$_GET['foo']->asString(); // echo: Bar
This will never happen, PHP will not change its behavior to fullfil it.
I already thought like you and I even spent some time to develop a
tool to simplify my job. The concept you try to implement is named
Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
again... do not tell me this is like Pokémon.I already asked here when I was developing this feature about a
limitation PHP currently has, but this is not the current discussion.Just to let you know, if you are thinking to do something as I already
showed you as example, forget it. If you are trying something
different, like:taint_string( $_GET['foo'] ); // echo: Bar
Then you need to think correctly what do you want to achieve. There
are zillions of PHP applications running out there and none of them
will be converted to use taint-package.The first example illustrate how the PHP should behavior with a taint
extension; and access the data directly: $_GET['foo'] should throw an
error.My idea: Keep things simple and validate all your data using PHP. You
do not have to go "behind the scenes" and create a C library to
achieve it.If you are interested, I already implemented the PokaYoke approach and
I put it available for you at:
http://blog.bisna.com/files/PokaYoke.zip
I also published the running package: http://blog.bisna.com/files/PokaYoke/
Take a look at the examples... I published the phps files if you are
lazy and do not want to download the zip file. You can incorporate the
module and keep it project specific.
My implementation was never being released to public, but it works as
expected. It's better to make a project specific feature and use it
instead of try to create a module.Best regards,
Late last year I started a discussion on this list with a proposal
to add Perl/Ruby-like taint support to PHP - a feature that a
developer may turn on to find out where to insert explicit cleaning
operations to avoid code injection etc. vulnerabilities. With
applications that are explicitly written to be taint ware, taint
support may also help at run-time as an additional safety net.In the unavoidable trade-off between performance and developer
impact, this approach minimizes the performance hit; the developer
provides the explicit cleaning operations. Other taint-for-PHP
approaches make a different trade-off; they typically avoid developer
impact altogether, but come at the cost of a larger performance hit.After a bunch of other work that needed to be done I've resumed
work on PHP and I'm currently working on a rough prototype that
supports taint in the core and in a bunch of standard built-ins.
Overhead is minimal because it's just setting and testing a few
normally unused bits in the zval structure. I expect to get some
actual performance data once the implementation is complete enough,
and to have a first implementation out the door sometime in September.Wietse--
--
Guilherme Blanco - Web Developer
CBC - Certified Bindows Consultant
Cell Phone: +55 (16) 9166-6902
MSN: guilhermeblanco@hotmail.com
URL: http://blog.bisna.com
São Carlos - SP/Brazil
Marco Tabini wrote a great article in php|Architect (Vol 5 Iss 2 Feb
2006 Pgs 16-24) on Poka Yoke.
http://www.phparch.com/issue.php?mid=74
--
Richard Quadling
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
"Standing on the shoulders of some very clever giants!"
Hi,
@Graham: It will probably be one of the two:
1- Overwrite the superglobal indexes ( $_GET['foo']->asFloat() )
2- Use a method/class to taint the value ( taint_float( $_GET['foo'] ) )
I illustrated both and why both have their drawback.
@Richard: I already read the Marco's article. My implementation is
another implementation of what he suggested and also with some new
features.
Anyway, that's a good reference to everyone that wants to know a
little bit more about this approach.
Regards,
Hi,
It seems you had an interesting idea, but AFAIK it'll not incorporated
in core by PHP Team.
Yeah, sounds bad, but you cannot simply turn all variables into
objects and try to get them.Seems you're trying something like that:
$_GET['foo']->asString(); // echo: Bar
This will never happen, PHP will not change its behavior to fullfil it.
I already thought like you and I even spent some time to develop a
tool to simplify my job. The concept you try to implement is named
Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
again... do not tell me this is like Pokémon.I already asked here when I was developing this feature about a
limitation PHP currently has, but this is not the current discussion.Just to let you know, if you are thinking to do something as I already
showed you as example, forget it. If you are trying something
different, like:taint_string( $_GET['foo'] ); // echo: Bar
Then you need to think correctly what do you want to achieve. There
are zillions of PHP applications running out there and none of them
will be converted to use taint-package.The first example illustrate how the PHP should behavior with a taint
extension; and access the data directly: $_GET['foo'] should throw an
error.My idea: Keep things simple and validate all your data using PHP. You
do not have to go "behind the scenes" and create a C library to
achieve it.If you are interested, I already implemented the PokaYoke approach and
I put it available for you at:
http://blog.bisna.com/files/PokaYoke.zip
I also published the running package: http://blog.bisna.com/files/PokaYoke/
Take a look at the examples... I published the phps files if you are
lazy and do not want to download the zip file. You can incorporate the
module and keep it project specific.
My implementation was never being released to public, but it works as
expected. It's better to make a project specific feature and use it
instead of try to create a module.Best regards,
Late last year I started a discussion on this list with a proposal
to add Perl/Ruby-like taint support to PHP - a feature that a
developer may turn on to find out where to insert explicit cleaning
operations to avoid code injection etc. vulnerabilities. With
applications that are explicitly written to be taint ware, taint
support may also help at run-time as an additional safety net.In the unavoidable trade-off between performance and developer
impact, this approach minimizes the performance hit; the developer
provides the explicit cleaning operations. Other taint-for-PHP
approaches make a different trade-off; they typically avoid developer
impact altogether, but come at the cost of a larger performance hit.After a bunch of other work that needed to be done I've resumed
work on PHP and I'm currently working on a rough prototype that
supports taint in the core and in a bunch of standard built-ins.
Overhead is minimal because it's just setting and testing a few
normally unused bits in the zval structure. I expect to get some
actual performance data once the implementation is complete enough,
and to have a first implementation out the door sometime in September.Wietse--
--
Guilherme Blanco - Web Developer
CBC - Certified Bindows Consultant
Cell Phone: +55 (16) 9166-6902
MSN: guilhermeblanco@hotmail.com
URL: http://blog.bisna.com
São Carlos - SP/BrazilMarco Tabini wrote a great article in php|Architect (Vol 5 Iss 2 Feb
2006 Pgs 16-24) on Poka Yoke.http://www.phparch.com/issue.php?mid=74
--
Richard Quadling
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
"Standing on the shoulders of some very clever giants!"
--
Guilherme Blanco - Web Developer
CBC - Certified Bindows Consultant
Cell Phone: +55 (16) 9166-6902
MSN: guilhermeblanco@hotmail.com
URL: http://blog.bisna.com
São Carlos - SP/Brazil