Just to add to the white/black listing argument...
I would say that tainting is a whitelist approach, as everything is blocked by
default (seen as untainted), and you need to escape your variables depending on
the context they will be used in (or go out of your way to say it has already
been escaped, for the rare edge cases mentioned in previous discussions).
On 16 Sep 2015, at 15:13, Thomas Hruska <thru...@cubiclesoft.com> wrote:
> As a side note, preg_match() is my current favorite blacklist indicator of
> "code with probable security vulnerabilities."
I completely disagree, preg_match can work in both ways, it can do white or
black listing, as Anthony demonstrated:
if (preg_match('/^[a-z0-9]+$/', $input)) {
}
That white lists only certain characters, anything else won't match.
Craig
On 16 Sep 2015, at 15:13, Thomas Hruska <thru...@cubiclesoft.com> wrote:
> On 9/15/2015 9:10 AM, Dennis Birkholz wrote:
>> Hi all,
>>
>> Am 15.09.2015 um 17:09 schrieb Craig Francis:
>>> 2015-09-14 4:44 GMT+02:00 Christopher Owen <christopher.o...@live.com>:
>>>> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
>>>
>>> I would echo Kalle's suggestion of 7.1.
>>>
>>> But I think you will find it hard to get support... I was pushing this a
>>> few weeks ago (either the one from Wietse Venema, the one from Matt Tait,
>>> or even my own suggestion), but it seems the developers are more interested
>>> in features that make them seem cleaver, rather than pointing out their
>>> mistakes...
>>
>> the problem with taint support is to get it 100% right. If you leave one
>> edge case open, who is to blame? PHP or the developer that was totally
>> confident the taint support might warn him?
>
> You can grab the following four paragraphs and add it to whatever
> documentation on taint you might use.
>
> ==8<--------------------------
> Taint is blacklisting.
>
> Blacklisting, in and of itself and regardless of the form it takes, is an
> immediate indicator of an application that is prone to security
> vulnerabilities and/or breakage that can lead to a vulnerability.
>
> With extraordinarily rare exceptions, blacklists are never 100% correct.
> Even if it can manage to reach 100% accuracy today, a blacklist will be out
> of date tomorrow due to advances in the field.
>
> While writing software being paired with a blacklist such as taint,
> performing an appropriate security audit of the software is the only truly
> effective approach to securing that software.
> ====8<------------------------
>
> Problem solved. Also, those are ASCII scissors (in case anyone is wondering).
>
> As a side note, preg_match() is my current favorite blacklist indicator of
> "code with probable security vulnerabilities." If taint is added to PHP
> without a suitable caveat lector, it merely adds another tool to my
> psychological profiling arsenal.
>
> --
> Thomas Hruska
> CubicleSoft President
>
> I've got great, time saving software that you will find useful.
>
> http://cubiclesoft.com/
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
