-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mathiu,
> I am concerned about the idea of more than 10 extra eregi for each > page, in matter of performances. Including the removed security.php in pre.php will do some work that in other ways can be really dirty. > Also, if I correctly understood your plan, you are trying to > disallow some characters from being used in the $_GET and $_POST. > Which is > indeed very problematic. Do you thing that no post on Savane can > contain ";", for instance? Most bugs reports probably contains that > in POST. I have seen addslashes() usage and i removed from my local copy the POST VARS filtering. > As I said before, this looks more like hacks and is not a long run > solution. I think it will just creates trouble, overcomplicate the > code, make it slower, without benefit. why not a long run solution ? Its a hack , yes , but if it is coded with care it doesn't create more trouble. Slower , i think not so much , its only eregi use and there is no eregi at every pages , just in one file that is included globally . The benefit is in the form that we can filter every variable depending on the used method. > There are not many ways to handle post and get. You must use > addslashes() whenever appropriate, and ideally have register > globals set to off. Fortunately, PHP already does addslashes on > every GET, POST, COOKIE and stuff. So most of the time, everything > is correctly escape. I have started working in a new branch without globals but i must checkout another copy of CVS , create a new branch and the most difficult thing, recode all the things , look at all variables , look at all the functions. is almost a blindly hacking of Savane code , i'll do it but i need time and i am currently a student of secondary school. > I am not satisfied at all with the way things are going on. You > made a clear proposal about register globals, I accepted you in the > team to contribute in that area. Since then, you started > implementing idea that are not near to reach any consensus here, > you added code you > don't own the copyright. NRG branch is definately going to be coded but i want to have consensus with you and the rest of developers. about own copyright , the xor encoding class was removed and i started working on the filters. i want to know if i can work in some hacks of the trunk , to improve more security in the current release. > It cannot work that way. You can work as you want on a branch to > handle the register global stuff. But any other security solution > is not ok unless we agree on that. Adding regexp on every GET and > POST is not ok, disallowing =, ', ;, in POST is not ok, disallowing > td in GET is not ok. All that stuff does not cover any identified > issue and is very questionable in regards of efficiency. Ok. I want to propose the team this: if a i can work on a minor fix/hack to provide filters : - - can i use eregi to do it ? - - which tags or characters will be filtered ? ( and in which method ) - - is needed post and get methods filtering ? - - is needed any other security improvement on the trunk ? Best regards. - -------------------------------------- Lorenzo Hernandez Garcia-Hierro <-><->-<-><-><-><-><-><-><-><-> PGP: Keyfingerprint: 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B http://www.tuxedo-es.org ______________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com iQA/AwUBQGldCmtOtT6RgF9bEQJRfgCg92++tkl4U0kC1CC93bGsAkrEAowAnjNn RSA2ZW+vn0e/C370mE5IORyf =hFBT -----END PGP SIGNATURE-----
