Hey: On Thu, Sep 17, 2015 at 2:37 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: > Hi! > >>> Taint is blacklisting. >>> >> Last time I checked marking all user input as tainted and requiring >> "untainting" before usage in sensitive functions is whitelisting and not >> blacklisting. > > I would say it's neither - whitelisting is an explicit check (or fixing, > to ensure) that the input matches certain conditions (blacklisting is > the same but "does not match") - but taint actually doesn't do that. All > it does is ensure you did *some* data fixing - it can't really ensure > *what* you did, what were the results of the fixing and if the fixing > you employed match the security context in which you are using the data. > So taint does only the half of the work of either blacklist or whitelist > - it ensures you didn't forget to do _something_, where something could > be white-list. Or be something useless at all. That's the main thing one > needs to remember when using taint - it doesn't do any work, it just > reminds you to do work, and you still have to ensure the work is right.
Just for the record , Taint is ready for PHP7: https://github.com/laruence/taint/tree/php7 thanks > -- > Stas Malyshev > smalys...@gmail.com > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php -- Xinchen Hui @Laruence http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
