(Wietse Venema) wrote: > Rasmus Lerdorf: >>> I don't think it's unreasonable to require scripts outputting content >>> other than HTML to include a line that modifies the default behaviour. >>> Surely the benefits far outweigh that cost. >> That's already there. They set the content-type. The problem becomes >> when they set it vs. when output goes out. It's also very common to >> turn on output buffering and buffer a bunch of stuff and then set the >> content-type just before flushing the buffer. > > That practice would be incompatible with taint checks. I suppose > having to specify the type first is not a burden for the application, > because the application knows what output it is going to produce, > before it produces it. > > Taint policy is applied to echo (and print, etc.) arguments. It > can't be applied to the contents of the output buffer, because that > would be prohibitively expensive. One would need to record that > byte A came from function B argument C at file D line E, and that > byte A had a particular set of taint labels.
Hi, Would input from external files be considered tainted? In other words, a common approach is to create a cached page, write it to disk, and then readfile() it. In other words, is TC_SELF applied to stream data? Greg -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
