[Savane-dev] Re: Added POST_VARS filtering.

Tue, 30 Mar 2004 08:25:36 +0200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lorenzo Hernandez Garcia-Hierro <[EMAIL PROTECTED]> tapota :

> 1.  (*) text/plain          ( ) text/html           
>
> Commit from lorenzo (2004-03-29 21:10 CEST)
> -------------------
>
> Added POST_VARS filtering.
>
>   savane  frontend/php/include/security.php  1.8

Hello Lorenzo,

I am concerned about the idea of more than 10 extra eregi for each
page, in matter of performances.

Also, if I correctly understood your plan, you are trying to disallow
some characters from being used in the $_GET and $_POST. Which is
indeed very problematic. Do you thing that no post on Savane can
contain ";", for instance? Most bugs reports probably contains that in
POST.

As I said before, this looks more like hacks and is not a long run
solution. I think it will just creates trouble, overcomplicate the
code, make it slower, without benefit.

There are not many ways to handle post and get. You must use
addslashes() whenever appropriate, and ideally have register globals
set to off. Fortunately, PHP already does addslashes on every GET,
POST, COOKIE and stuff. So most of the time, everything is correctly
escape.

I am not satisfied at all with the way things are going on. You made a
clear proposal about register globals, I accepted you in the team to
contribute in that area. Since then, you started implementing idea
that are not near to reach any consensus here, you added code you
don't own the copyright. 

It cannot work that way. You can work as you want on a branch to
handle the register global stuff. But any other security solution is
not ok unless we agree on that. Adding regexp on every GET and POST is
not ok, disallowing =, ', ;, in POST is not ok, disallowing td in GET
is not ok. All that stuff does not cover any identified issue and is
very questionable in regards of efficiency.

Regards,

- -- 
Mathieu Roy

  +---------------------------------------------------------------------+
  | General Homepage:           http://yeupou.coleumes.org/             |
  | Computing Homepage:         http://alberich.coleumes.org/           |
  | Not a native english speaker:                                       |
  |     http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |
  +---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAaRL4Nl9/9y2hmbkRApqyAJ9Ae4OFoYNgyT5MF+0LNMQOki/ooACdE2Dq
fk1s2Nwbkvn40GztlgJZTPA=
=hKb5
-----END PGP SIGNATURE-----

Reply via email to