I think that having more than a black&white taint mode is actually going to be a mess and smells much more like a safe_mode problem to me than the b&w approach. It'll be very easy to explain what the simple approach is and that it assumes that you "correctly" filter/untaint the data. At the end of the day, even ext/filter can be seen as useless because the developer might pick the wrong function.
Anyway, I think we'll all be much smarter, once we take Wietse's patch when it's ready, and run it through a few PHP applications (SugarCRM, phpBB, fudForum, Wordpress) and get a feel for how it works with real-life examples. I think having a proof-of-concept is going to change the nature of this discussion (possibly either way). Andi > -----Original Message----- > From: Pierre [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 19, 2006 5:02 PM > To: Stanislav Malyshev > Cc: PHP internals; Wietse Venema > Subject: Re: [PHP-DEV] Run-time taint support proposal > > Hello, > > On 12/20/06, Stanislav Malyshev <[EMAIL PROTECTED]> wrote: > > > Now, about taint mode, is it possible to leave the input > filtering > > > for a second and explain me what else you like to do? How do you > > > plan to manage the contexts? Do you want this horrible mode 3? Or > > > will you > > > > I'm not sure what you mean by "contexts". > > output to browser, output to system (console/whatever else), > sql, xml, streams, etc... all of them require special attentions. > > > I suppose by "mode 3" you mean > > I refer to the three mode proposed by Wietse > (http://news.php.net/php.internals/27102). > > > mode in which tainted data output or passed to function > which is not > > marked safe to accept tainted data causes error? Yes, I > think I want it. > > I do not want the mode 3, for the reasons I explained > earlier. I also think many developers have the same reasons > against it. It will be enabled by default by many ISP and > will bring back the pain of safe_mode. > > > However, if you use only filtered data, you have nothing to worry > > about and probably would never know about tainting. > However, not many > > of existing application work like that, unfortunately. > > That's why I'm a fan of a drastic change, drop GPCES > superglobals and force the developers to use the filter > functions. At least it can be something the taint mode can do. > > > > argue about input filtering, sory taint mode until next year? :) > > > > New year is in 12 days now, so I would not be surprised if the > > discussion continued beyond that date :) > > :) > > --Pierre > > -- > PHP Internals - PHP Runtime Development Mailing List To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
