Sasha suggests me to implement these checkings in my script: IMHO that's not
the good strategy.
You guys are probably good programmers, but my experience shows me that the
"standard" PHP developper is not aware of security problems or he/she has
not the time to finalize the scripts (time is money...).
So I would like to provide a way to ensure some basic tests are made by PHP
itself !
As an analogy I could talk about "mod_security" Apache module: it globalizes
some tests before Apache calls the scripts and so minimizes the effort of
the developpers that would always take care of user's input...
Of course, good programmers always filter entries, but adding another
security level is a good practive too...
I could also say that my patch is a bit like the "safe mode": it is not
perfect at all but, nertheless, it can be useful !
So, I will enhance the "patch" to make it less restrictive when testing the
IP addresses and think about a strategy to handle AOL-like ISP...
Cheers,
Jerome
Inodes wrote:
You guys are probably good programmers, but my experience shows me that the
"standard" PHP developper is not aware of security problems or he/she has
not the time to finalize the scripts (time is money...).
The problem with your patch is twofold:
- It breaks for some users under rare circumstances which leads to very
hard to reproduce bug reports. Trust me. I tried to use IP tracking and
similar stuff and had to remove it because of user complaints. - It gives a false sense of security which leads to people spending
less thoughts on the security concept of application because they rely
on the session mechanism. Take proxies as an example: You'd have to also
check for X-Forwarded-For headers to get the address behind a large ISPs
proxy which opens up a whole new can of worms: How do you know that it
wasn't the hacker sending X-Forwarded-For with the user's IP?
I decided to say "If X knows the session ID of User A then he is A".
(Side note: I use my own random/MD5-based session IDs which should be
hard to guess). If I think sniffing a session ID is a problem then my
application probably needs a higher security level anyway and I switch
to SSL.
So, I will enhance the "patch" to make it less restrictive when testing the
IP addresses and think about a strategy to handle AOL-like ISP...
Speaking from my own experience I should warn you that it is quite hard
to convince this list to accept such patches. Don't be too disappointed
in that case ;-)
I agree with other posts that this belongs in either
a) the application
b) PEAR (I'm pretty sure PEAR already offers something like this,
haven't checked though)
and not core PHP.
- Chris