Jeff Moore wrote:
On Dec 19, 2006, at 10:53 AM, Ilia Alshanetsky wrote:
Bottom line is that does not, there are plenty of Perl application
supposedly safe from XSS due to tainting while in reality are
trivially exploitable via XSS due to the fact validation regex which
does the un-tainting of data is sub-par.
If you incorrectly untaint data, how is that worse than not knowing that
there was a tainted data path in your code in the first place?
The perfect is the enemy of the good. I think we can all agree that
tainting can never be perfect. The question is it better than what we
have now?
It does not need to be perfect to be useful. But without it being
context aware it will simply fail in too many cases imho to be really
useful. However it will add code to php that needs to be maintained,
documented, it will potentially have a performance impact.
Some people are also concerned about a false sense of security. While I
think we are all aware that perfect security is not attainable in a
realistic IT environment, I at least partially agree with the sentiment
a taint without context will find you some issues, but is likely to
overlook so many cases, that the benefit comes quite limited compared to
what people would expect.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
