Lester, I don't quite understand the relevance of PHPEclipse to the issue. And I'm not sure how you judge "clogging up" PHP without seeing a patch especially as I'm not sure how much PHP internals hacking you've done.
Andi > -----Original Message----- > From: Lester Caine [mailto:[EMAIL PROTECTED] > Sent: Friday, December 15, 2006 11:31 PM > To: PHP internals > Subject: Re: [PHP-DEV] Run-time taint support proposal > > Wietse Venema wrote: > > Ilia Alshanetsky: > >> And here is your first exploit, let's say we say > >> mysql_real_escape_string() takes tainted data and makes it > untainted, > >> what happens when this "safe" data is passed to exec(). > > > > You need a malicous code writer to have an exploit. As far > as I know, > > PHP is not a platform for secuerly executing hostile code. > > > >> You are going > >> to need to deal with different levels of taint-untainted > and 1 bit is > >> not going to give you that flexibility. You are going to > need an int/ > >> long, maybe even a long long. > > > > Sandboxing malicious code requires a lot more than taint levels. > > > > I'll be happy to provide that, but it's outside of the contribution > > that I'm trying to make for 2007. Right now I am merely > targeting the > > non-malicious programmers. > > In that case do we really need something clogging up the code base? > Improving the performance of tools like PHPEclipse would seem > to me to be a better use of resources than adding the same > sort of checks into the runtime engine? > > -- > Lester Caine - G8HFL > ----------------------------- > L.S.Caine Electronic Services - http://home.lsces.co.uk Model > Engineers Digital Workshop - > http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ > Treasurer - Firebird Foundation Inc. - > http://www.firebirdsql.org/index.php > > -- > PHP Internals - PHP Runtime Development Mailing List To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
