On Tue, Dec 19, 2006 at 10:53:51AM -0500, Ilia Alshanetsky wrote:
>
> On 19-Dec-06, at 10:35 AM, Wietse Venema wrote:
> ...
> Bottom line is that does not, there are plenty of Perl application
> supposedly safe from XSS due to tainting while in reality are
> trivially exploitable via XSS due to the fact validation regex which
> does the un-tainting of data is sub-par. Your interpretation of how
> the tool is position seems to be out of touch with reality, I can
> guarantee you that people will assume that code that works with
> taining is safe, which could not be further from the truth.
I am sorry - it is you Ilia who is out of touch with reality.
You seem to have taken dislike to Wietse's excellent suggestion and
have fought it with a barrage of half baked objections.
It is quite true that a taint flag cannot *guarantee* to make a PHP script
completely safe. Using a regex to untaint a value will not guarantee that
you end up with a perfectly safe value -- partly because it depends on what
you want to do with it.
The point is that most PHP programmers are not completely stupid, agreed many
could be better experienced. But they can all read the following health warning:
Untainting is only as good as the check that is used.
Let us be done with this discussion and agree (as the Perl & Ruby people have)
that it is best to have a useful tool even if we can't make it 100% perfect.
> >As long as we don't overreach (try to stop every problem) and
> >oversell (promise it will stop every problem) then we should be
> >fine, if 17 years of past experience can be applied to PHP.
>
> If you base everything on experience there is no need to use PHP
> period. Stick to predictable C, Fortran, etc...
> Just because a person is a great train engineer does not make him a
> great car mechanic.
Your reply is completely out of tune with Wietse's comment.
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
