Well you wouldn't have to use tainted mode of course. This can/should be turned off by default. I think having such a mode would be of great help to many users though. It would allow them to find any quirks in their data/input filtering and help them focus on where they should do a better job. Of course no one such solution will solve application-level security issues but it could end up being a very useful tool which helps people address the majority of such problems. In fact, if you look at many of the phpBB vulnerabilities (which has also very much tainted PHP's name), I believe the majority were due to input checking.
Education is nice, but providing tools that can help you in developing is even nicer. As far as taining levels are concerned. I don't think we'd have to go that far. There's a limit on how much you can help a person not to shoot themselves in their own foot. If they want to explicitly untaint dangerous data, or validate data for XSS and use it in exec() that's already the point where the user needs to know what he's doing. We can just provide the tools which help him and guide him at what data he needs to cleanse. He can screw up in the cleansing process. Hopefully solutions like ext/filter will provide the right APIs though to make this very straightforward for the average developer. I must say that I am also a bit worried about having another safe_mode saga. However, if we take an approach here where everything is tainted unless proven innocent it might succeed much better than safe_mode where we had to label the "insecure" places. I think this all boils down to expectations. If people's expectations will be that if passing tainted mode means the app is secure than that's obviously a problem. If people's expectations are that this is a tool which helps them better secure their app then that might be successful. I've been on the fence here from the beginning. I am pretty sure this would be a very useful feature but I'm somewhat paranoid after the whole safe_mode saga. Stas pointing out the difference between safe_mode which is "trust everyone unless explicitly pointed out" vs. a possible approach here of "trust noone unless explicitly pointed out" might make the difference though. Andi > -----Original Message----- > From: Ilia Alshanetsky [mailto:[EMAIL PROTECTED] On Behalf Of > Ilia Alshanetsky > Sent: Friday, December 15, 2006 3:08 PM > To: Alain Williams > Cc: PHP internals > Subject: Re: [PHP-DEV] Run-time taint support proposal > > > On 15-Dec-06, at 6:02 PM, Alain Williams wrote: > > > Php is easy to write, that is good. Unfortunately this also > means that > > bad/simple/careless programmers can use php ... these are > the ones who > > cause many of the php script errors that cause problems. > > That's exactly it, PHP is popular because it is easy to use. > You take that away and quite frankly there is very little > reason to left to use PHP over C#, Python, etc... > > Ilia Alshanetsky > > -- > PHP Internals - PHP Runtime Development Mailing List To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
