Hi Stefan,
I just wanted to ask if there was ever a decision made that said tainted mode will go into PHP mainstream.
No decision as such - I believe Wietse is doing his best to find out exactly how viable it is, no?
it seems some people want the fast implementation of Wietse in the core which would be bad, because it is based on wrong assumptions and uses an insecure design that does only give a false sense of security.
In a preliminary release for feedback purposes you talk about wrong assumptions? Surely this is the whole point of having a preliminary release for feedback :)
Examples for the wrong assumptions in PHP Taintmode: 1) _SERVER['PHP_SELF'] is not safe and allows XSS (and more) in many applications 2) Using mysql_real_escape_string() on user input does not make it safe for SQL. It only makes SQL strings safe. Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) is NOT secure but will result in no taint warning 3) Using htmlentities() on usr input does not make it safe for HTML output. It only makes it safe in some situations. Example: echo '....<sometag style="some-attribute: ',htmlentities($user_input),'">'. Will allow XSS through the style attribute without a taint warning Example2: echo '....<img src="',htmlentities($user_input),'">'. Will allow XSS through javascript: URL (f.e. in Opera) without a taint warning
Now, yes. Since these are all things that 'every fule know', isn't it more than likely that they'll be addressed before taint mode ever sees the light of day?
I think it's probably worth giving Wietse as much help as you can at this stage to make it better, since the thing's fast and since you know where to find the problem areas better than anyone. That said - I don't know if it's possible to have an extension/hooks approach without losing speed, but if it _is_ I'd personally vote for taking that approach.
- Steph -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
