2015-09-14 4:44 GMT+02:00 Christopher Owen <christopher.o...@live.com>:
> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.


I would echo Kalle's suggestion of 7.1.

But I think you will find it hard to get support... I was pushing this a few 
weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even 
my own suggestion), but it seems the developers are more interested in features 
that make them seem cleaver, rather than pointing out their mistakes...

And yes, I am intentionally trying to be provocative.

I'm annoyed that so much time was spent on type hinting, just so we can enforce 
[bool/float/int/string], yet most of the time it is the encoding of strings 
that introduces security problems - not just SQLi, but also things like XSS.

Craig





On 14 Sep 2015, at 22:17, Christopher Owen <christopher.o...@live.com> wrote:

> 
>> On Sep 14, 2015, at 1:35 PM, Kalle Sommer Nielsen <ka...@php.net> wrote:
>> 
>> Hi Christopher
>> 
>> 2015-09-14 4:44 GMT+02:00 Christopher Owen <christopher.o...@live.com>:
>>> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
>> 
>> It is way too late for any extension to be included in the 7.0 release
>> now, but you can write an RFC targetting 7.1, please see the wiki for
>> more details[1].
> 
> Thank you for the advice; it makes much more sense to target 7.1.
> 
> We can see that Wietse Venema; the same man who wrote the highly regarded, 
> security hardened email software Postfix; has authored an RFC for taint's 
> inclusion to PHP the past [1].  Also, a reference implementation has been 
> most recently championed by Xinchen (Laruence) Hui, a core php developer [2].
> 
> Given those that came before me, I’m not certain that I can add much in the 
> way of reputation or skill to the request to add taint as a first-class 
> feature of PHP 7.1, but if there are any procedural efforts required then I 
> will be happy to champion them.
> 
> I can add that I have personally found taint (either in its original form in 
> perl[3] or as an extension in php) a valuable tool in refactoring legacy php 
> code to reduce SQL injection attack surface.
> 
> As authorative internet ‘top ten’ lists will list SQL injection as the number 
> one security vulnerability facing web applications [4] and given the scale of 
> deployed php, efforts to improve tooling (or in this case, the availability 
> of existing tooling) to discover this class of vulnerabilities will have a 
> positive impact on a global scale.
> 
> Kind regards,
> Christopher Owen.
> 
> [1] https://wiki.php.net/rfc/taint <https://wiki.php.net/rfc/taint>
> [2] http://pecl.php.net/package/taint <http://pecl.php.net/package/taint> 
> [3] http://perldoc.perl.org/perlsec.html#Taint-mode 
> <http://perldoc.perl.org/perlsec.html#Taint-mode>
> [4] http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf 
> <http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf>


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to