"Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> tapota :
> Hi Mathiu, > >> I am concerned about the idea of more than 10 extra eregi for each >> page, in matter of performances. > > Including the removed security.php in pre.php will do some work that > in other > ways can be really dirty. > >> Also, if I correctly understood your plan, you are trying to >> disallow some characters from being used in the $_GET and $_POST. >> Which is >> indeed very problematic. Do you thing that no post on Savane can >> contain ";", for instance? Most bugs reports probably contains that >> in POST. > > I have seen addslashes() usage and i removed from my local copy the > POST VARS filtering. > >> As I said before, this looks more like hacks and is not a long run >> solution. I think it will just creates trouble, overcomplicate the >> code, make it slower, without benefit. > > why not a long run solution ? Because add an extra parsing of every variables like that is likely to add an annoying load increase on servers that serves many pages. > Its a hack , yes , but if it is coded with care it doesn't create > more trouble. Slower , i think not so much , its only eregi use and > there is no eregi at every pages , just in one file that is included > globally . The benefit is in the form that we can filter every > variable depending on the used method. On the other hand, we would not need that with register globals set to off. > > >> There are not many ways to handle post and get. You must use >> addslashes() whenever appropriate, and ideally have register >> globals set to off. Fortunately, PHP already does addslashes on >> every GET, POST, COOKIE and stuff. So most of the time, everything >> is correctly escape. > > I have started working in a new branch without globals but i must > checkout another copy of CVS , create a new branch and the most > difficult thing, > recode all the things , look at all variables , look at all the > functions. > is almost a blindly hacking of Savane code , i'll do it but i need > time and i am currently > a student of secondary school. I know, it is a though and big job. That's why the better is to start with little part of Savane like the news tracker. But that would be a great improvement, that makes the difference, without annoying counterpart. >> I am not satisfied at all with the way things are going on. You >> made a clear proposal about register globals, I accepted you in the >> team to contribute in that area. Since then, you started >> implementing idea that are not near to reach any consensus here, >> you added code you >> don't own the copyright. > > NRG branch is definately going to be coded but i want to > have consensus with you and the rest of developers. On the register_global, you have it. I discussed that before with other persons of the team, and I dont think people will ever object to that change that even the PHP software itself recommand (as register_globals is now set to off by default). > about own copyright , the xor encoding class was removed and i > started working on the filters. i want to know if i can work in > some hacks of the trunk , to improve more security in the current > release. It would like to you to ask to savane-dev first for an approval from me or others persons involved in the project. The trunk is a too sensitive part. > I want to propose the team this: > > if a i can work on a minor fix/hack to provide filters : > > - can i use eregi to do it ? > - which tags or characters will be filtered ? > ( and in which method ) > - is needed post and get methods filtering ? As I said in the rest of this mail, I am not comfortable with the idea of such filters. I can see the benefit but there is a sum of problems that comes with it way bigger. Theoretically, no tag or characters should be ever filtered. We could escape some characters --and that's what we do, in fact--, but filtering would add very annoying restriction. For instance, think about the "comment" field of the tracker: and character should appear there. In a comment of bug, someone should be able to put code. The only matter is to avoid getting it executed. But I think addslashes() handle that well. So I'd like you to postpone your idea of filtering, and see if it is really needed once the register_globals stuff is done. > - is needed any other security improvement on the trunk ? Not that I am specifically aware of. Regards, -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
