Good Morning, I just wanted to ask if there was ever a decision made that said tainted mode will go into PHP mainstream.
Currently there are two implementations available: GRASP by Coresecurity * pro: byte level tainting which actually works * negativ: slow PHP Taint mode by Wietse Venema/IBM * pro: faster * negativ: broken design+insecure It is no secret that I don't like the idea of a taint mode in PHP because it cannot be made secure and fast at the same time. Coresecurity's GRASP is the best example for this it uses a secure design and is therefore slow. On the other hand it seems some people want the fast implementation of Wietse in the core which would be bad, because it is based on wrong assumptions and uses an insecure design that does only give a false sense of security. Examples for the wrong assumptions in PHP Taintmode: 1) _SERVER['PHP_SELF'] is not safe and allows XSS (and more) in many applications 2) Using mysql_real_escape_string() on user input does not make it safe for SQL. It only makes SQL strings safe. Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) is NOT secure but will result in no taint warning 3) Using htmlentities() on usr input does not make it safe for HTML output. It only makes it safe in some situations. Example: echo '....<sometag style="some-attribute: ',htmlentities($user_input),'">'. Will allow XSS through the style attribute without a taint warning Example2: echo '....<img src="',htmlentities($user_input),'">'. Will allow XSS through javascript: URL (f.e. in Opera) without a taint warning Yours, Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
