Stanislav Malyshev wrote:
>> output to browser, output to system (console/whatever else), sql, xml,
>> streams, etc... all of them require special attentions.
>
> Hello, safe mode 2.0! :)
> Seriously, I do not think tainting is made for that - and we will have a
> ton of trouble trying to describe
On 20-Dec-06, at 12:08 AM, Andi Gutmans wrote:
Static analysis won't work well enough in PHP.
It can get you 70-80% there though, without touching the engine.
Btw, I don't see someone doing that foreach and using untaint() being
different from someone not filtering their input.
People rea
Static analysis won't work well enough in PHP. I've been down that path and
there's no way it'll be effective enough due to the dynamic nature of the
langage. (In Java it can be much more successfully implemented).
Btw, I don't see someone doing that foreach and using untaint() being
different fro
I think that having more than a black&white taint mode is actually going to
be a mess and smells much more like a safe_mode problem to me than the b&w
approach. It'll be very easy to explain what the simple approach is and that
it assumes that you "correctly" filter/untaint the data. At the end of
On 19-Dec-06, at 4:21 PM, Stanislav Malyshev wrote:
Wrong again, different contexts have different validation
criteria, unless you consider that tainting in PHP wont work.
What's safe to print on screen may not be safe to execute or pass
to the database etc...
I do not think the purpose
output to browser, output to system (console/whatever else), sql, xml,
streams, etc... all of them require special attentions.
Hello, safe mode 2.0! :)
Seriously, I do not think tainting is made for that - and we will have a
ton of trouble trying to describe what is "safe for SQL" (is it for
M
Hi Andrei,
Yeah, I see the patch you committed also included the changes that were made
since my reply yesterday... I've attached a patch that removes a few lines
that aren't present in the non-Unicode version.
Matt
- Original Message -
From: "Andrei Zmievski"
Sent: Tuesday, December
On 12/20/06, Wietse Venema <[EMAIL PROTECTED]> wrote:
> Now, about taint mode, is it possible to leave the input filtering for
> a second and explain me what else you like to do? How do you plan to
> manage the contexts? Do you want this horrible mode 3? Or will you
> argue about input filtering
[A quote that I might end up using somewhere]
> > Very well put/explained.
>
> If it was only about the input filtering, you can use (and should)
> ext/filter (filter.default=string with default flag strip low/high).
>
> And more generally since I use filter filter in my projects, I do not
> use
Hello,
On 12/20/06, Stanislav Malyshev <[EMAIL PROTECTED]> wrote:
> Now, about taint mode, is it possible to leave the input filtering for
> a second and explain me what else you like to do? How do you plan to
> manage the contexts? Do you want this horrible mode 3? Or will you
I'm not sure wha
Now, about taint mode, is it possible to leave the input filtering for
a second and explain me what else you like to do? How do you plan to
manage the contexts? Do you want this horrible mode 3? Or will you
I'm not sure what you mean by "contexts". I suppose by "mode 3" you mean
mode in which t
Hello,
On 12/20/06, Alain Williams <[EMAIL PROTECTED]> wrote:
On Tue, Dec 19, 2006 at 01:21:59PM -0800, Stanislav Malyshev wrote:
> >Wrong again, different contexts have different validation criteria,
> >unless you consider that tainting in PHP wont work. What's safe to print
> >on screen may no
On Tue, Dec 19, 2006 at 01:21:59PM -0800, Stanislav Malyshev wrote:
> >Wrong again, different contexts have different validation criteria,
> >unless you consider that tainting in PHP wont work. What's safe to print
> >on screen may not be safe to execute or pass to the database etc...
>
> I do n
Sara,
Are you sure this complexity is necessary? Why not just pass the binary
string to INI subsystem and let user make sure it's in UTF-8? We don't
do this for any other function, really..
-Andrei
On Dec 19, 2006, at 2:01 PM, Andrei Zmievski wrote:
andrei Tue Dec 19 22:01:50 20
On Dec 19, 2006, at 1:07 PM, Marcus Boerger wrote:
- zend_call_methods has no zend_u_call_method version, see patch
Good catch.
- parameter parsing doesn't allow to receive a string in current
run-time setting. I will introduce a new parameter parsing option
'x' that gets replaced by ei
Wrong again, different contexts have different validation criteria,
unless you consider that tainting in PHP wont work. What's safe to print
on screen may not be safe to execute or pass to the database etc...
I do not think the purpose of tainting is or should be to take this kind
of decisions
Hello all,
i am doing some unicode stuff and missng a few things and found a
few issues:
- ZVAL_STRL() is inconsistent with the rest of the ZVAL_*L().
The former has order: zval, zstr, len, type, flags
while the others have the order: zval, value, len, flags
Since a zstr value is defined
Jeff Moore wrote:
On Dec 19, 2006, at 10:53 AM, Ilia Alshanetsky wrote:
Bottom line is that does not, there are plenty of Perl application
supposedly safe from XSS due to tainting while in reality are
trivially exploitable via XSS due to the fact validation regex which
does the un-tainting o
On Dec 19, 2006, at 10:53 AM, Ilia Alshanetsky wrote:
Bottom line is that does not, there are plenty of Perl application
supposedly safe from XSS due to tainting while in reality are
trivially exploitable via XSS due to the fact validation regex which
does the un-tainting of data is sub-par.
On Tue, Dec 19, 2006 at 06:05:25PM +0100, Lukas Kahwe Smith wrote:
> Alain Williams wrote:
>
>
> >I propose to give a partially working tool that helps in the majority
> >of cases. I am aware that it will not be a panacea but that it is
> >preferable
> >to nothing.
>
> A non context aware taint
Ilia Alshanetsky wrote:
Wrong again, different contexts have different validation criteria,
unless you consider that tainting in PHP wont work. What's safe to print
on screen may not be safe to execute or pass to the database etc...
Ilia is right here, this is the key concern with this propos
Alain Williams wrote:
I propose to give a partially working tool that helps in the majority
of cases. I am aware that it will not be a panacea but that it is preferable
to nothing.
A non context aware taint will fail in the majority of use cases.
regards,
Lukas
--
PHP Internals - PHP Runtim
Is this better?
Index: ext/standard/formatted_print.c
===
RCS file: /repository/php-src/ext/standard/formatted_print.c,v
retrieving revision 1.89
diff -p -u -r1.89 formatted_print.c
--- ext/standard/formatted_print.c 18 Dec 2006
Ilia Alshanetsky wrote:
To use your car analogy and safe_mode history, most users will start
driving like maniacs, violating every traffic law thinking that the
seat belt makes them invincible.
Most users drive like maniacs anyway, and it will ever be so. Taint mode
cannot save people from them
On 19-Dec-06, at 11:36 AM, Alain Williams wrote:
On Tue, Dec 19, 2006 at 11:18:02AM -0500, Ilia Alshanetsky wrote:
On 19-Dec-06, at 11:06 AM, Alain Williams wrote:
It is quite true that a taint flag cannot *guarantee* to make a PHP
script
completely safe. Using a regex to untaint a value wil
Hello,
On 12/19/06, Robert Cummings <[EMAIL PROTECTED]> wrote:
On Tue, 2006-12-19 at 17:35 +0100, Pierre wrote:
> Hello,
>
> On 12/19/06, Wietse Venema <[EMAIL PROTECTED]> wrote:
> > Zeev Suraski:
>
> > Following up on an earlier suggestion in this thread, I could see
> > at least three modes of
On Tue, 2006-12-19 at 17:35 +0100, Pierre wrote:
> Hello,
>
> On 12/19/06, Wietse Venema <[EMAIL PROTECTED]> wrote:
> > Zeev Suraski:
>
> > Following up on an earlier suggestion in this thread, I could see
> > at least three modes of operation:
> >
> > 1) Disabled. The default setting.
> >
> >
On Tue, Dec 19, 2006 at 11:18:02AM -0500, Ilia Alshanetsky wrote:
>
> On 19-Dec-06, at 11:06 AM, Alain Williams wrote:
> >It is quite true that a taint flag cannot *guarantee* to make a PHP
> >script
> >completely safe. Using a regex to untaint a value will not
> >guarantee that
> >you end up
Hello,
On 12/19/06, Wietse Venema <[EMAIL PROTECTED]> wrote:
Zeev Suraski:
Following up on an earlier suggestion in this thread, I could see
at least three modes of operation:
1) Disabled. The default setting.
2) Audit mode. Report perceived problems to logfile. This can be
used by de
On Tue, 2006-12-19 at 11:18 -0500, Ilia Alshanetsky wrote:
> >
> > Let us be done with this discussion and agree (as the Perl & Ruby
> > people have)
> > that it is best to have a useful tool even if we can't make it 100%
> > perfect.
>
> So you propose to give a partially working tool that pr
Ilia Alshanetsky wrote:
So you propose to give a partially working tool that promises data
security and then expect people not to rely on it 100% because it is
easy to
Nobody at all in this discussion has suggested taint promises data
security. Nobody has said it promises anything. But an imper
On 19-Dec-06, at 11:06 AM, Alain Williams wrote:
It is quite true that a taint flag cannot *guarantee* to make a PHP
script
completely safe. Using a regex to untaint a value will not
guarantee that
you end up with a perfectly safe value -- partly because it depends
on what
you want to do w
On Tue, Dec 19, 2006 at 10:53:51AM -0500, Ilia Alshanetsky wrote:
>
> On 19-Dec-06, at 10:35 AM, Wietse Venema wrote:
> ...
> Bottom line is that does not, there are plenty of Perl application
> supposedly safe from XSS due to tainting while in reality are
> trivially exploitable via XSS due
On 19-Dec-06, at 10:35 AM, Wietse Venema wrote:
As for positioning the feature, I don't think the problem is with
the name "taint" itself. It was introduced under this name with
Perl3 in 1989(*), and later under the same name in Ruby and other
programming languages. I am not aware that shortco
Hm, my test shows that the new compiler produces slightly (2%) faster code.
See the full output of both runs at:
http://edin.dk/archives/25-Benchmarks.html
Edin
Nuno Lopes wrote:
It is running happily here (I tested on a pc without visual studio
installed).
Strangely or not, this new binary is
Zeev Suraski:
> My 2c on this piece is that tainting can be a nice helper tool to
> reduce the likelihood of security problems in your code. Nothing
> more and nothing less.
>
> I too fear the possibility of tainting becoming the new
> safe_mode. "Outsource your security to PHP, it'll take ca
On Wed, 2006-12-20 at 01:33 +1100, Kevin Waterson wrote:
> This one time, at band camp, Zeev Suraski <[EMAIL PROTECTED]> wrote:
>
>
>
> > - Consider making this a compile time option with significant
> > overhead and a big DO NOT ENABLE IN PRODUCTION, so that people have
> > an even clearer id
This one time, at band camp, Zeev Suraski <[EMAIL PROTECTED]> wrote:
> - Consider making this a compile time option with significant
> overhead and a big DO NOT ENABLE IN PRODUCTION, so that people have
> an even clearer idea they shouldn't rely on it to find their bugs,
> and that in fact it
Nuno Lopes wrote:
It is running happily here (I tested on a pc without visual studio
installed).
Strangely or not, this new binary is much slower that the current
snapshot from snaps.php.net. In a P4 2.0Ghz machine the bench.php
script takes ~25 seconds with the old compiler and ~30 seconds wit
It is running happily here (I tested on a pc without visual studio
installed).
Strangely or not, this new binary is much slower that the current snapshot
from snaps.php.net. In a P4 2.0Ghz machine the bench.php script takes ~25
seconds with the old compiler and ~30 seconds with this new build :S
Hi (again) Ilia, all,
After thinking about the zend_smart_strcmp() issue more, I believe a numeric
comparison can be used except when *both* values overflow *and* have the
same sign (either INF or -INF). I also think it's OK to say an underflow
(that becomes an even 0.0) of both values can simply
Hi,
why do I get warnings when I have failures in my ext/soap ctor?
try {
$client = new SoapClient('http://i_dont_exist.com/some.wsdl',
array('exceptions' => true));
} catch (Exception $e) { }
I guess even without the 'exceptions' => true it should always return
all issues as an exception.
the way I see it there is one simple way of making sure 'taintmode'
doesn't become another magic suicide bullet (ala safemode)...
make taintmode do nothing more than produce warnings/errors/whatever -
don't let it have any effect on the actual running of the application.
I for one would be more t
On Tue, 2006-12-19 at 12:08 +0200, Zeev Suraski wrote:
> At 23:40 16/12/2006, Ilia Alshanetsky wrote:
> >>>You're not helping them, just making assumptions about how their
> >>>code should work and making them adhere to them.
> >>
> >>Yes, and this is helping. Every language does that. Saying "you
Tom Sommer wrote:
Ignoring the fact that this is somewhat off-topic, why would ISPs use the
Lite version as opposed to the "bloated" version? Their users want
features, functions, they want PHP - why settle for the lesser version?
If you don't want taint support, because you feel it's bloat, do
-
Zeev Suraski wrote:
As such, I would consider:
- Saying tainting should not be enabled in production (avoid the false
sense of security people might have if they turn on tainting in
production).
- Not necessarily the fastest possible implementation, since it'd be
used for development purposes
At 23:40 16/12/2006, Ilia Alshanetsky wrote:
You're not helping them, just making assumptions about how their
code should work and making them adhere to them.
Yes, and this is helping. Every language does that. Saying "you
can't make 100% work exactly as I wanted without any effort, so
entire t
On Tue, December 19, 2006 09:29, Lester Caine wrote:
> Robert Cummings wrote:
>
>> On Tue, 2006-12-19 at 04:54 +, Lester Caine wrote:
>>
>>> Richard Lynch wrote:
>>>
On Sat, December 16, 2006 7:03 am, Lester Caine wrote:
> Of cause many of us never go near the raw database calls a
On Tue, 2006-12-19 at 08:29 +, Lester Caine wrote:
> Robert Cummings wrote:
> > On Tue, 2006-12-19 at 04:54 +, Lester Caine wrote:
> >> Richard Lynch wrote:
> >>> On Sat, December 16, 2006 7:03 am, Lester Caine wrote:
> Of cause many of us never go near the raw database calls anyway, s
Tom Sommer wrote:
On Tue, December 19, 2006 05:54, Lester Caine wrote:
Richard Lynch wrote:
On Sat, December 16, 2006 7:03 am, Lester Caine wrote:
Of cause many of us never go near the raw database calls anyway,
since we are using frameworks that carry out lot of the security
checks at a gen
Robert Cummings wrote:
On Tue, 2006-12-19 at 04:54 +, Lester Caine wrote:
Richard Lynch wrote:
On Sat, December 16, 2006 7:03 am, Lester Caine wrote:
Of cause many of us never go near the raw database calls anyway, since
we are using frameworks that carry out lot of the security checks at
Hi,
you can use:
class test2 {
public function __toString(){ return (string) new test; }
}
Marian Kostadinov wrote:
Hi,
there is one issue that I experience since I started using 5.2.0 and
especially the new correct __toString behaviour. Generally it works fine.
But sometimes I find it usefu
On Tue, December 19, 2006 05:54, Lester Caine wrote:
> Richard Lynch wrote:
>
>> On Sat, December 16, 2006 7:03 am, Lester Caine wrote:
>>
>>> Of cause many of us never go near the raw database calls anyway,
>>> since we are using frameworks that carry out lot of the security
>>> checks at a generi
Hi,
there is one issue that I experience since I started using 5.2.0 and
especially the new correct __toString behaviour. Generally it works fine.
But sometimes I find it useful to get __toString return another object the
also has a __toString method. So my idea is - is it possible (and good idea)
On Tue, 2006-12-19 at 04:54 +, Lester Caine wrote:
> Richard Lynch wrote:
> > On Sat, December 16, 2006 7:03 am, Lester Caine wrote:
> >> Of cause many of us never go near the raw database calls anyway, since
> >> we are using frameworks that carry out lot of the security checks at a
> >> gener
55 matches
Mail list logo
