On 9/15/2015 9:10 AM, Dennis Birkholz wrote:
Hi all,
Am 15.09.2015 um 17:09 schrieb Craig Francis:
2015-09-14 4:44 GMT+02:00 Christopher Owen <christopher.o...@live.com>:
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it hard to get support... I was pushing this a few
weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even
my own suggestion), but it seems the developers are more interested in features
that make them seem cleaver, rather than pointing out their mistakes...
the problem with taint support is to get it 100% right. If you leave one
edge case open, who is to blame? PHP or the developer that was totally
confident the taint support might warn him?
You can grab the following four paragraphs and add it to whatever
documentation on taint you might use.
==8<--------------------------
Taint is blacklisting.
Blacklisting, in and of itself and regardless of the form it takes, is
an immediate indicator of an application that is prone to security
vulnerabilities and/or breakage that can lead to a vulnerability.
With extraordinarily rare exceptions, blacklists are never 100% correct.
Even if it can manage to reach 100% accuracy today, a blacklist will
be out of date tomorrow due to advances in the field.
While writing software being paired with a blacklist such as taint,
performing an appropriate security audit of the software is the only
truly effective approach to securing that software.
====8<------------------------
Problem solved. Also, those are ASCII scissors (in case anyone is
wondering).
As a side note, preg_match() is my current favorite blacklist indicator
of "code with probable security vulnerabilities." If taint is added to
PHP without a suitable caveat lector, it merely adds another tool to my
psychological profiling arsenal.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you will find useful.
http://cubiclesoft.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
