Hi! >> Taint is blacklisting. >> > Last time I checked marking all user input as tainted and requiring > "untainting" before usage in sensitive functions is whitelisting and not > blacklisting.
I would say it's neither - whitelisting is an explicit check (or fixing, to ensure) that the input matches certain conditions (blacklisting is the same but "does not match") - but taint actually doesn't do that. All it does is ensure you did *some* data fixing - it can't really ensure *what* you did, what were the results of the fixing and if the fixing you employed match the security context in which you are using the data. So taint does only the half of the work of either blacklist or whitelist - it ensures you didn't forget to do _something_, where something could be white-list. Or be something useless at all. That's the main thing one needs to remember when using taint - it doesn't do any work, it just reminds you to do work, and you still have to ensure the work is right. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
