Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
https://pecl.php.net/package/taint https://pecl.php.net/package/taint
Christopher Owen.
Hi Christopher
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
It is way too late for any extension to be included in the 7.0 release
now, but you can write an RFC targetting 7.1, please see the wiki for
more details[1].
--
regards,
Kalle Sommer Nielsen
kalle@php.net
Hi Christopher
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
It is way too late for any extension to be included in the 7.0 release
now, but you can write an RFC targetting 7.1, please see the wiki for
more details[1].
Thank you for the advice; it makes much more sense to target 7.1.
We can see that Wietse Venema; the same man who wrote the highly regarded, security hardened email software Postfix; has authored an RFC for taint's inclusion to PHP the past [1]. Also, a reference implementation has been most recently championed by Xinchen (Laruence) Hui, a core php developer [2].
Given those that came before me, I’m not certain that I can add much in the way of reputation or skill to the request to add taint as a first-class feature of PHP 7.1, but if there are any procedural efforts required then I will be happy to champion them.
I can add that I have personally found taint (either in its original form in perl[3] or as an extension in php) a valuable tool in refactoring legacy php code to reduce SQL injection attack surface.
As authorative internet ‘top ten’ lists will list SQL injection as the number one security vulnerability facing web applications [4] and given the scale of deployed php, efforts to improve tooling (or in this case, the availability of existing tooling) to discover this class of vulnerabilities will have a positive impact on a global scale.
Kind regards,
Christopher Owen.
[1] https://wiki.php.net/rfc/taint https://wiki.php.net/rfc/taint
[2] http://pecl.php.net/package/taint http://pecl.php.net/package/taint
[3] http://perldoc.perl.org/perlsec.html#Taint-mode http://perldoc.perl.org/perlsec.html#Taint-mode
[4] http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf <http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even my own suggestion), but it seems the developers are more interested in features that make them seem cleaver, rather than pointing out their mistakes...
And yes, I am intentionally trying to be provocative.
I'm annoyed that so much time was spent on type hinting, just so we can enforce [bool/float/int/string], yet most of the time it is the encoding of strings that introduces security problems - not just SQLi, but also things like XSS.
Craig
Hi Christopher
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
It is way too late for any extension to be included in the 7.0 release
now, but you can write an RFC targetting 7.1, please see the wiki for
more details[1].Thank you for the advice; it makes much more sense to target 7.1.
We can see that Wietse Venema; the same man who wrote the highly regarded, security hardened email software Postfix; has authored an RFC for taint's inclusion to PHP the past [1]. Also, a reference implementation has been most recently championed by Xinchen (Laruence) Hui, a core php developer [2].
Given those that came before me, I’m not certain that I can add much in the way of reputation or skill to the request to add taint as a first-class feature of PHP 7.1, but if there are any procedural efforts required then I will be happy to champion them.
I can add that I have personally found taint (either in its original form in perl[3] or as an extension in php) a valuable tool in refactoring legacy php code to reduce SQL injection attack surface.
As authorative internet ‘top ten’ lists will list SQL injection as the number one security vulnerability facing web applications [4] and given the scale of deployed php, efforts to improve tooling (or in this case, the availability of existing tooling) to discover this class of vulnerabilities will have a positive impact on a global scale.
Kind regards,
Christopher Owen.[1] https://wiki.php.net/rfc/taint https://wiki.php.net/rfc/taint
[2] http://pecl.php.net/package/taint http://pecl.php.net/package/taint
[3] http://perldoc.perl.org/perlsec.html#Taint-mode http://perldoc.perl.org/perlsec.html#Taint-mode
[4] http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf <http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
I fully support your effort to get this into the PHP to be part of core
extensions, or at least one of those that keep up with the language
releases.
This is a very good tool to have, and you can actually run it in production
to catch things that may slipped the stating (things happen). And it's
invaluable during during testing.
All,
On Tue, Sep 15, 2015 at 11:15 AM, Arvids Godjuks
arvids.godjuks@gmail.com wrote:
I fully support your effort to get this into the PHP to be part of core
extensions, or at least one of those that keep up with the language
releases.
This is a very good tool to have, and you can actually run it in production
to catch things that may slipped the stating (things happen). And it's
invaluable during during testing.
I'm against any form of tainting for a few reasons.
First, it's only really useful as a first-order heuristic. A failure
does not indicate a security vulnerability, and a non-failure does not
indicate the absence of one. An example of a false-positive would be
if (preg_match('(^[a-z0-9]+$)', $input)) echo $input;. Taint-based
systems would flag that as a possible XSS, where it's clearly not in
any context. An example of a false-negative would be the following:
<a href=<?php echo htmlspecialchars($input); ?>>Bar</a>. If the
input is "foo onclick=dosomethingbad();", an XSS is still executed.
Another example of a false negative would be:
$query = "SELECT * FROM foo WHERE bar = " .
mysqli_real_escape_string($c, $input) . ";";
A false positive is potentially OK. A false negative is not.
Second, it will encourage the improper pattern of "sanitize" functions
to de-taint input. These are functions which call
mysqli_real_escape_string(htmlspecialchars(whatever(etc($input)))).
No matter what the context the variables are used in. This doesn't
improve security (and in many cases can demonstrably harm it). It just
encourages people to work around it. And that ignores that there's an
untaint() function that they can call on any variable to "silence
the errors".
Third, it ignores context. This is related to the first two, but I
think is a separate concern. An example from the taint RFC
(https://wiki.php.net/rfc/taint) is the shell-execution. If the
variable is used in the context of command, one escape function is
needed. If it's used as an argument, another is needed. Detecting
which is not something that's trivial for a language-level taint
function. And calling the wrong function defeats the purpose. So if we
can't detect the context, we can't reliably say whether it's safe or
not.
In the hands of an experienced engineer/security researcher, taint
systems can be a really handy tool to help find possible issues. In
the hands of a junior engineer, it can actually make things worse
because it encourages them to just "silence the errors".
Considering that it's not a reliable tool, and is only a heuristic, I
would suggest that this be implemented as an extension, and not in the
core of a programming language.
With that said, if there are engine hooks necessary to implement this
feature better as an extension, I'm all for adding those hooks. I'm
just against adding something to the language that won't actually be
able to accomplish what it promises.
Escaping is always context-sensitive, in every case. Tainting as has
been proposed in the past doesn't (and literally can't in the general
case) know the context. Therefore it can't reliably know the correct
way to escape.
Consider the case of addslashes() and magic_quotes_gpc. The reason
that they are insecure is that they don't know the context that the
variable is used in. This leads to character set issues, as well as
cases where backslashes enter contexts they don't escape (like HTML
output). We learned years ago that context-insensitive escaping
doesn't work and is literally bad. Let's not make the same mistakes
again (even if it's for the correct reasons this time).
Anthony
Third, it ignores context. This is related to the first two, but I
think is a separate concern. An example from the taint RFC
(https://wiki.php.net/rfc/taint) is the shell-execution. If the
variable is used in the context of command, one escape function is
needed. If it's used as an argument, another is needed. Detecting
which is not something that's trivial for a language-level taint
function. (…)
Actually, you almost always will wantescapeshellarg().escapeshellcmd()
might be useful for a code like the function example, where you want the
user to explicitely provide several parameters, and you somehow
don't want
to split by spaces and apply escapeshellarg to each. And even then,
there are
non-working edge-cases awaiting to bite you, as shown in the comments.
You have a good point, but escapeshellcmd or "let's change the SQL encoding"
are things that you better avoid, security-wise.
Best regards
While skim reading emails (just got back from holiday), I wanted to add...
All,
On Tue, Sep 15, 2015 at 11:15 AM, Arvids Godjuks
arvids.godjuks@gmail.com wrote:I fully support your effort to get this into the PHP to be part of core
extensions, or at least one of those that keep up with the language
releases.
This is a very good tool to have, and you can actually run it in production
to catch things that may slipped the stating (things happen). And it's
invaluable during during testing.I'm against any form of tainting for a few reasons.
First, it's only really useful as a first-order heuristic. A failure
does not indicate a security vulnerability, and a non-failure does not
indicate the absence of one. An example of a false-positive would be
if (preg_match('(^[a-z0-9]+$)', $input)) echo $input;. Taint-based
systems would flag that as a possible XSS, where it's clearly not in
any context.
Personally I would argue that if the echo $input was for printing a variable in a HTML construct, so it MUST go though one of the HTML encoding functions, because that regexp could be changed later.
e.g. an inexperienced developer being told that usernames on a website can now support angle brackets, so "just edit the regexp for the username validation".
This is keeping in mind that the regexp is now usually kept separate from the view code (e.g. MVC style)
An example of a false-negative would be the following:
<a href=<?php echo htmlspecialchars($input); ?>>Bar</a>. If the
input is "foo onclick=dosomethingbad();", an XSS is still executed.
True, but without htmlspecialchars, it will ALWAYS be bad... so while a tainting system won't be able to pick up all problems, it can at least identify more mistakes than it not existing (percentage wise, well that will depend on the programmer).
Maybe you could think of it like having a second pair of eyes looking over your shoulder, politely asking you if you forgot something (a bit like how pair programming helps improve code quality).
Another example of a false negative would be:
$query = "SELECT * FROM foo WHERE bar = " .
mysqli_real_escape_string($c, $input) . ";";A false positive is potentially OK. A false negative is not.
All of the examples have been about using pg_escape_identifier(), because that adds the quote marks... mysqli_real_escape_string by itself would not be enough to say that it safe for an SQL string :-)
Second, it will encourage the improper pattern of "sanitize" functions
to de-taint input. These are functions which call
mysqli_real_escape_string(htmlspecialchars(whatever(etc($input)))).
No matter what the context the variables are used in. This doesn't
improve security (and in many cases can demonstrably harm it). It just
encourages people to work around it. And that ignores that there's an
untaint()function that they can call on any variable to "silence
the errors".
I don't think a sanitize() function would be implemented though, as it would make a mess of variables being passed though more than once... resulting in things like double html encoding (e.g. &), and these stand out much better than the current sanitize() functions which do things like silently stripping "bad" characters like double quotes and less than signs.
If anything, a proper tainting system would help us move away from these horrible functions (says he having had to remove a couple before now).
Third, it ignores context. This is related to the first two, but I
think is a separate concern. An example from the taint RFC
(https://wiki.php.net/rfc/taint) is the shell-execution. If the
variable is used in the context of command, one escape function is
needed. If it's used as an argument, another is needed. Detecting
which is not something that's trivial for a language-level taint
function. And calling the wrong function defeats the purpose. So if we
can't detect the context, we can't reliably say whether it's safe or
not.
Not sure I understand, if anything this gives the strings a context?
Rather than every variable being a simple string (number, etc), they start off being plain text (or a string defined as a constant in PHP), and their escaping is checked in the context of the function that was called (e.g. exec needing escapeshellarg).
In the hands of an experienced engineer/security researcher, taint
systems can be a really handy tool to help find possible issues. In
the hands of a junior engineer, it can actually make things worse
because it encourages them to just "silence the errors".
While I originally hoped that it would be enabled by default, I think for now it would have to be off by default, and probably only used by "experienced engineer/security researchers".
At the moment, static analysis seems to be the closest alternative I can find (and they are pretty awful).
Considering that it's not a reliable tool, and is only a heuristic, I
would suggest that this be implemented as an extension, and not in the
core of a programming language.
Maybe, but I think with some discussions, having it part of the core language would help get all the other extensions to use it (if needed), and help improve viability.
See it like having Notices present, but off by default (which they are).
The other positive is that distros such as Debian / RedHat will then ship with it by default (disabled), rather than having to ask/hope that they will provide a version with it (keeping in mind that they provide security updates without needing to re-compile).
With that said, if there are engine hooks necessary to implement this
feature better as an extension, I'm all for adding those hooks. I'm
just against adding something to the language that won't actually be
able to accomplish what it promises.Escaping is always context-sensitive, in every case. Tainting as has
been proposed in the past doesn't (and literally can't in the general
case) know the context. Therefore it can't reliably know the correct
way to escape.
I think it can, but I agree that there are some edge cases that it won't be able to catch, such as:
$url = $_GET['u']; // ?u=javascript:alert(document.cookies);
echo '<a href="' . htmlentities($url) .'">Cookies</a>';
Consider the case of
addslashes()and magic_quotes_gpc. The reason
that they are insecure is that they don't know the context that the
variable is used in. This leads to character set issues, as well as
cases where backslashes enter contexts they don't escape (like HTML
output). We learned years ago that context-insensitive escaping
doesn't work and is literally bad. Let's not make the same mistakes
again (even if it's for the correct reasons this time).
I am repeating myself now, but yes, magic_quotes_gpc did not know about the context those variables were going into... tainting on the other hand is checking the variables, which are going into a known context, have been escaped (with a couple of possible issues, but they can be addressed though other methods).
Craig
Hi all,
Am 15.09.2015 um 17:09 schrieb Craig Francis:
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even my own suggestion), but it seems the developers are more interested in features that make them seem cleaver, rather than pointing out their mistakes...
the problem with taint support is to get it 100% right. If you leave one
edge case open, who is to blame? PHP or the developer that was totally
confident the taint support might warn him?
The short but already stretched example is SQL injection that exploits
character sets (see
http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/12118602#12118602),
slightly adapted:
Your connection is initialized as UTF-8 by default:
$mysqli->set_charset('utf8'); // or $mysqli->query('SET NAMES utf8'),
does not matter
a lot later on, you quote a string you got from the environment:
$str = $mysqli->escape_string($_REQUEST['str']);
and then, you recognize from your session variables the user is Chinese
and you have to switch the database character set so you don't have to
convert is stuff with iconv or something:
$mysqli->set_charset('gbk');
$mysql->query("UPDATE xyz SET foo={$str} WHERE condition");
No problem, right? Taint does not scream, $str is perfectly secure to
use in the query, it was escaped. But it is not. You can argue "use
prepared statements" but that is not always possible. Or "do set your
character set only once directly after you connect". But it is possible,
so users will do it and be surprised if taint does not capture such
problems.
Having different taint classes is not enough, taint needs to hold the
charset the untaint is valid for as well. I am not sure even that get
all edge cases. And if not, it gets really complicated.
Greets
Dennis
Hi all,
Am 15.09.2015 um 17:09 schrieb Craig Francis:
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even my own suggestion), but it seems the developers are more interested in features that make them seem cleaver, rather than pointing out their mistakes...
the problem with taint support is to get it 100% right. If you leave one
edge case open, who is to blame? PHP or the developer that was totally
confident the taint support might warn him?
You can grab the following four paragraphs and add it to whatever
documentation on taint you might use.
==8<--------------------------
Taint is blacklisting.
Blacklisting, in and of itself and regardless of the form it takes, is
an immediate indicator of an application that is prone to security
vulnerabilities and/or breakage that can lead to a vulnerability.
With extraordinarily rare exceptions, blacklists are never 100% correct.
Even if it can manage to reach 100% accuracy today, a blacklist will
be out of date tomorrow due to advances in the field.
While writing software being paired with a blacklist such as taint,
performing an appropriate security audit of the software is the only
truly effective approach to securing that software.
====8<------------------------
Problem solved. Also, those are ASCII scissors (in case anyone is
wondering).
As a side note, preg_match() is my current favorite blacklist indicator
of "code with probable security vulnerabilities." If taint is added to
PHP without a suitable caveat lector, it merely adds another tool to my
psychological profiling arsenal.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you will find useful.
Good morning,
==8<--------------------------
Taint is blacklisting.
Last time I checked marking all user input as tainted and requiring
"untainting" before usage in sensitive functions is whitelisting and not
blacklisting.
Regards,
Stefan
--
SektionEins GmbH stefan.esser@sektioneins.de
Breite Str. 159 Tel: 0221 / 29282931
50667 Köln Fax: 0221 / 29282935
http://SektionEins.de/
Firmensitz Breite Str. 159 50667 Köln
Registergericht Amtsgericht Köln HRB 59950
Geschäftsführer: Stefan Esser, Benjamin Fuhrmannek, Christian Horchert
Hi!
Taint is blacklisting.
Last time I checked marking all user input as tainted and requiring
"untainting" before usage in sensitive functions is whitelisting and not
blacklisting.
I would say it's neither - whitelisting is an explicit check (or fixing,
to ensure) that the input matches certain conditions (blacklisting is
the same but "does not match") - but taint actually doesn't do that. All
it does is ensure you did some data fixing - it can't really ensure
what you did, what were the results of the fixing and if the fixing
you employed match the security context in which you are using the data.
So taint does only the half of the work of either blacklist or whitelist
- it ensures you didn't forget to do something, where something could
be white-list. Or be something useless at all. That's the main thing one
needs to remember when using taint - it doesn't do any work, it just
reminds you to do work, and you still have to ensure the work is right.
--
Stas Malyshev
smalyshev@gmail.com
Hey:
Hi!
Taint is blacklisting.
Last time I checked marking all user input as tainted and requiring
"untainting" before usage in sensitive functions is whitelisting and not
blacklisting.I would say it's neither - whitelisting is an explicit check (or fixing,
to ensure) that the input matches certain conditions (blacklisting is
the same but "does not match") - but taint actually doesn't do that. All
it does is ensure you did some data fixing - it can't really ensure
what you did, what were the results of the fixing and if the fixing
you employed match the security context in which you are using the data.
So taint does only the half of the work of either blacklist or whitelist
- it ensures you didn't forget to do something, where something could
be white-list. Or be something useless at all. That's the main thing one
needs to remember when using taint - it doesn't do any work, it just
reminds you to do work, and you still have to ensure the work is right.
Just for the record , Taint is ready for PHP7:
https://github.com/laruence/taint/tree/php7
thanks
--
Stas Malyshev
smalyshev@gmail.com--
--
Xinchen Hui
@Laruence
http://www.laruence.com/
Just to add to the white/black listing argument...
I would say that tainting is a whitelist approach, as everything is blocked by default (seen as untainted), and you need to escape your variables depending on the context they will be used in (or go out of your way to say it has already been escaped, for the rare edge cases mentioned in previous discussions).
As a side note,
preg_match()is my current favorite blacklist indicator of "code with probable security vulnerabilities."
I completely disagree, preg_match can work in both ways, it can do white or black listing, as Anthony demonstrated:
if (preg_match('/^[a-z0-9]+$/', $input)) {
}
That white lists only certain characters, anything else won't match.
Craig
Hi all,
Am 15.09.2015 um 17:09 schrieb Craig Francis:
2015-09-14 4:44 GMT+02:00 Christopher Owen christopher.owen@live.com:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even my own suggestion), but it seems the developers are more interested in features that make them seem cleaver, rather than pointing out their mistakes...
the problem with taint support is to get it 100% right. If you leave one
edge case open, who is to blame? PHP or the developer that was totally
confident the taint support might warn him?You can grab the following four paragraphs and add it to whatever documentation on taint you might use.
==8<--------------------------
Taint is blacklisting.Blacklisting, in and of itself and regardless of the form it takes, is an immediate indicator of an application that is prone to security vulnerabilities and/or breakage that can lead to a vulnerability.
With extraordinarily rare exceptions, blacklists are never 100% correct. Even if it can manage to reach 100% accuracy today, a blacklist will be out of date tomorrow due to advances in the field.
While writing software being paired with a blacklist such as taint, performing an appropriate security audit of the software is the only truly effective approach to securing that software.
====8<------------------------Problem solved. Also, those are ASCII scissors (in case anyone is wondering).
As a side note,
preg_match()is my current favorite blacklist indicator of "code with probable security vulnerabilities." If taint is added to PHP without a suitable caveat lector, it merely adds another tool to my psychological profiling arsenal.--
Thomas Hruska
CubicleSoft PresidentI've got great, time saving software that you will find useful.
Hello again php-internals.
I was the original poster of the (most recent) thread on making taint a first-class feature for php.
Shortly after the start of the original thread, Laruence ported the existing php-taint extension to php7 (thank you very much sir!).
For those of you who might like to try, I have been able to successfully test against php 7.0-rc7 using the following steps:
~~ build php-taint for php7
git clone -b php7 https://github.com/laruence/taint.git php-taint
cd php-taint
<path to>/phpize
./configure --with-php-config=<path to>/php-config
make && make install
and to the configuration file <path to php/conf.d>/ext-taint.ini add:
[taint]
extension=“<path to>//taint.so"
taint.enable = On
~~ Recap of discussion so far
Administrative:
- Any new feature requests should be for php 7.1 and not php 7.0
- Taint should not be written to the logs in the default configuration as is true for NOTICE level logs
Pros: - Taint helps to refactor legacy/large code bases
- Taint helps to identify entire classes of programming bugs (such as SQL injections)
- Security experts suggest taint as a useful tool
- Including taint as a first class feature will allow for it to be available in future linux distribution packages of php
Cons: - Taint could harm inexperienced or unmindful programmers; improper filtering of a tainted variable could be falsely validated via a taint feature.
- Taint may promote inexperienced programers to add bad sanitization, reducing their code quality.
~~ Adding to the discussion
Taint is a great feature for identifying where no sanitization is occurring (as opposed to incorrect sanitization).
Incorrect sanitization is not addressed by taint and can currently only be addressed via code audit; This situation is analogous to what taint will improve for the ‘no sanitization’ case.
Taint will not suggest a contextually correct sanitization, but arming a programmer with the knowledge of where to consider sanitization should at worst promote thought and will at best contribute to improved security globally.
The inclusion of taint does not worsen the ‘incorrect sanitization’ case.
The inclusion of taint does not hinder future RFCs from addressing the ‘incorrect sanitization’ case.
It would be fantastic to be able to call untaint() without having to first check if the module is loaded (as could be the case in a staging versus production environment configuration for example).
~~ Moving forward
As discussion seems to have died out, I would like to propose moving to the next stage for inclusion of taint as a first class feature of php 7.1.
Kind regards,
Christopher Owen.
- Including taint as a first class feature will allow for it to be available in future linux distribution packages of php
Any decent linux distribution already makes 'optional' extensions easy
to switch on or off. What you are actually proposing by making an
extension 'first class' is that no-one will be able to switch it off?
The discussion that perhaps wants reopening is making more of the
optional elements of PHP easier to switch off, so that esoteric
extensions can be added and updated at any time.
--
Lester Caine - G8HFL
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
Hi!
As discussion seems to have died out, I would like to propose moving
to the next stage for inclusion of taint as a first class feature of
php 7.1.
What is the difference between what exists now (i.e., extension) and
what you seek to do in 7.1? What do you mean by "first class feature"?
Stas Malyshev
smalyshev@gmail.com
I’m requesting that the functions taint() and untaint() as well as the ability to log taint information be available in the standard interpreter without extensions.
Christopher Owen.
Hi!
As discussion seems to have died out, I would like to propose moving
to the next stage for inclusion of taint as a first class feature of
php 7.1.What is the difference between what exists now (i.e., extension) and
what you seek to do in 7.1? What do you mean by "first class feature"?Stas Malyshev
smalyshev@gmail.com