On 18/11/2007, Stefan Esser <[EMAIL PROTECTED]> wrote: > Good Morning, > > I just wanted to ask if there was ever a decision made that said tainted > mode will go into PHP mainstream. > > Currently there are two implementations available: > > GRASP by Coresecurity > * pro: byte level tainting which actually works > * negativ: slow > > PHP Taint mode by Wietse Venema/IBM > * pro: faster > * negativ: broken design+insecure > > It is no secret that I don't like the idea of a taint mode in PHP > because it cannot be made secure and fast at the same time. > Coresecurity's GRASP is the best example for this it uses a secure > design and is therefore slow. On the other hand it > seems some people want the fast implementation of Wietse in the core > which would be bad, because it is based on > wrong assumptions and uses an insecure design that does only give a > false sense of security. > > Examples for the wrong assumptions in PHP Taintmode: > 1) _SERVER['PHP_SELF'] is not safe and allows XSS (and more) in many > applications > 2) Using mysql_real_escape_string() on user input does not make it safe > for SQL. It only makes SQL strings safe. > Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) > is NOT secure but will result in no taint warning > 3) Using htmlentities() on usr input does not make it safe for HTML > output. It only makes it safe in some situations. > Example: echo '....<sometag style="some-attribute: > ',htmlentities($user_input),'">'. Will allow XSS through the style > attribute without a taint warning > Example2: echo '....<img src="',htmlentities($user_input),'">'. Will > allow XSS through javascript: URL (f.e. in Opera) without a taint warning
I believe the primary use case for taint mode would be to use it in development: taint mode is a mode which can be turned on to give you an idea of where your application may have exposed some vulnerabilities; let you fix those identified vulnerabilities; then turn off for production purposes. The speed of the implementation, if this is indeed the intention for taint mode, would therefore be irrelevant. http://devzone.zend.com/node/view/id/1526#Heading3 suggests that we've had this discussion before and almost came to agreement that taint mode would be used as a development tool. -- Dan Scott Laurentian University -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
