At 17:35 19/12/2006, Wietse Venema wrote:
Zeev Suraski:
> My 2c on this piece is that tainting can be a nice helper tool to
> reduce the likelihood of security problems in your code. Nothing
> more and nothing less.
>
> I too fear the possibility of tainting becoming the new
> safe_mode. "Outsource your security to PHP, it'll take care of
> it". But I think there's a way of both designing and pitching
> tainting so that we avoid this false perception. If we pitch
> tainting as a development-time only tool the points out a certain
> class of security mistakes, and is by no means an invisible magnetic
> shield that actually protects you from them - then I think it can be
> quite useful.
Following up on an earlier suggestion in this thread, I could see
at least three modes of operation:
1) Disabled. The default setting.
2) Audit mode. Report perceived problems to logfile. This can be
used by developers to catch bugs, and by deployers for quality
assessment (but developers please don't start screaming yet).
3) Enforcement mode. Don't allow execution past a perceived problem.
Wietse,
What mostly everyone is discussing here in the last few days is
really an issue of perception. If we have mode 3, it means we imply
that enabling magically secures your application, irregardless of
whether we believe that or not.
I don't like mode 3 because I don't want to set expectations that we
know we can't fulfill. Tainting can help you fix certain problems in
your code, and help you create more secure applications. "Helping
you create a more secure app" means we pitch it as a development tool
that helps you - it's a huge difference from saying it in itself
increases the security of applications, which positions it as a
safety net that protects you.
Thankfully, since the implementation is pretty much identical between
mode 2 and 3 (pretty much the difference would be using different
error levels), so we can discuss it again once the implementation is ready.
Zeev
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
