A preliminary implementation of PHP taint support is available from ftp://ftp.porcupine.org/pub/php/ This code is released under version 2.00 of the Zend license.
Below are fragments from the README file. For the full text please see ftp://ftp.porcupine.org/pub/php/php-5.2.3-taint-20071102.README.html This file also has information about using taint in real applications, about run-time performance, and about changes within the PHP core. Most of all, your feedback is welcome, so that I can make this code as easy to use and as performant as possible. Wietse Venema IBM Research [ Start of README fragments ] Introduction ============ This is a preliminary implementation of support for tainted variables in PHP. The goal is to help PHP application programmers find and eliminate opportunities for HTML script injection, SQL or shell code injection, or PHP control hijacking, before other people can exploit them. The implementation provides taint support for basic operators and for a selection of built- functions and extensions. A list of what is implemented sofar is at the end of this document. The good news is that performance is better than I hoped it would be. However, the implementation is incomplete, so please don't be surprised when something is still missing. For example, I have not yet implemented taint support for object-specific operations, and taint checks assume that output has a Content-Type: of text/html. It also does not yet fully adhere to coding and documentation conventions. All this needs to be taken care of in future releases. I need your feedback to make this code complete. I hope to do several quick 1-2 month release cycles in which I collect feedback, fill in missing things, and adjust course until things stabilize. Right now the code is based on PHP 5.2.3, but I expect to catch up with the current PHP release next time. A quick example =============== To give an idea of the functionality, consider this simple PHP program with an obvious HTML script injection bug: <?php $inputfield = $_GET['inputfield']; echo "You entered: $inputfield\n"; ?> With default .ini settings, this program does exactly what the programmer wrote: it echos the contents of the client's inputfield request attribute, including all the HTML script code that an attacker may have supplied along with it. When I add one setting to a php.ini file, or the equivalent ini_set() call to the script itself, the program still produces the same output, but it also produces a warning: Add to php.ini: taint_error_level = E_WARNING Add to script: ini_set("taint_error_level", E_WARNING); Warning: echo(): Argument contains data that is not converted with htmlspecialchars() or htmlentities() in /path/to/script on line 3 When I change the taint error level from E_WARNING into E_ERROR, script execution terminates before echo produces any output. Introducing multiple flavors of taint ===================================== Conversion functions such as htmlspecialchars() exist not only for boring security reasons! They are also required for robustness. Without the proper output conversion, shell or SQL commands fail when given a legitimate name such as O'Reilly. Bugs like this are easily overlooked, because they trigger only with unusual data. However, these bugs are trivial to find with taint support, because you get the "missing conversion" warning message even when you test the program with ordinary data. This point is worth repeating, so I will repeat it now: With taint support, you don't need malicious inputs to find out where a PHP script may have opportunities for HTML script injection, shell or SQL code injection, or PHP control hijacking. To encourage programmers to use the RIGHT conversion function, I have implemented multiple flavors of taint. Each time data enters a PHP application from the web, from database or from elsewhere, it may be "tainted" with zero or more taint flavors, so that the PHP engine can warn the programmer and suggest an appropriate conversion function. [ End of README fragments ] Please see the complete README file for the unabridged text, including information on the other topics: * Using taint support with real PHP applications * Performance * Low-level implementation * Taint propagation policy * PHP core changes * Loose ends * Distant future * Feature summary The complete README file and source code are available from ftp://ftp.porcupine.org/pub/php/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
