Re: [PHP-DEV] PHP 5.1

Sun, 06 Feb 2005 12:26:52 -0800 

On February 6, 2005 12:27 pm, Sean Coates wrote:
>
> This would break pretty much every application ever written.
> Consider:
> <?php
> echo "<html><body><a
> href="http://www.yahoo.com/";>Yahoo!</a></body></html>"; ?>
>

Yeah, I realise the output filter would have to be intelligent.  It couldn't 
blindly filter every echoed string.

> You could definitely catch:
> echo "Hello {$_GET['name']}\n";
>
> and MAYBE:
> $name = $_GET['name'];
> echo "Hello {$name}";
>
> but (without a LOT of reference catching, and other nasty hackery that
> may or may not work in the end) not:
> $one = 'na'; $two = 'me';
> $name = $_GET[$one.$two];
> echo "Hello $name";
>

The tainting model would not necessarily have to work the same way as it 
does in Perl.  Instead it could mark which parts of a string originated 
from outside of PHP and then the output filter could only apply to those 
regions.  As strings are concatenated and sliced, the tainted regions would 
be tracked and would stick with the strings themselves (e.g. as a list of 
regions attached to each ZVAL?).  For example:

$name = $_GET["name"];  // $name is marked as tainted from 0 to
                        // strlen($_GET["name"]) - 1
echo $name;             // filter $name{0,} and output

$one = 'na';            // $one is untainted
$two = 'me';            // $two is untainted

$name = $_GET[$one.$two]; // $name is marked as tainted from 0 to 
                          // strlen($_GET[$one.$two]) - 1

$tmp = "Hello $name";     // $tmp is marked as tainted from 6 to
                          // strlen($name) + 5
echo $tmp;                // $tmp{0,5} is output; $tmp{6,} is passed to
                          // htmlentities() and then output.

$tmp = substr($tmp, 5);   // $tmp is marked as tainted from 0 to
                          // strlen($name) - 1

$query = "INSERT $name INTO names"; // $query{7,strlen($name)-1} is tainted
mysql_query($query);      // $query{7,strlen($name)-1} is passed to
                          // mysql_escape_string(), the rest of the string
                          // passes unfiltered.

I'm not sure of the feasibility of such a scheme (and obviously it would 
have a performance impact), but it would "do the right thing".

That said, I think a standard set of input filters available to all PHP 
developers would be a good thing.  It would keep the number of posts about 
email regexps to a minimum, among other things ;)


Benj

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to