David Zülke wrote:
> An untaint() approach - all for it (yes, the noobs that don't give a
> damn are going to use it because "it just works", but no, that shouldn't
Most people here seem to agree that it would be valuable tool for
themselves to be able to taint/untaint data. Wietse's approach is v
Hey David,
David Zülke schrieb:
> bother us, at least they have been warned). But some implicit guessing
> magic that, once again, means people are gonna switch their brains off -
> please not.
Frankly, I don't care about people that switch their brains off. If one
doesn't care about security, or
Yes, that is exactly the way to go. To quote Yoda (and he would
know): "Do, or do not. There is no try.". Or, in contemporary
words: do things 100% properly, but if that is not possible, take a
step back and spare the world some half arsed attempt.
This makes no sense to me. There is nothin
"Do, or do not. There is no try.". Or, in contemporary words: do
things 100% properly, but if that is not possible, take a step back
and spare the world some half arsed attempt.
It sounds nice, but from the practical point of view you can't make
sure code is 100% tested and 100% secure. The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Ezequiel Gutesman wrote:
> Going back to Stefan's example:
>
>> $sql['id'] = mysql_real_escape_string($_GET['id']);
>> $query = "SELECT * FROM table WHERE id=".$sql['id']
>
> It is true that GRASP won't raise an alarm unless $sql['id'] has
> non
"Do, or do not. There is no try.". Or, in contemporary words: do things
100% properly, but if that is not possible, take a step back and spare
the world some half arsed attempt.
It sounds nice, but from the practical point of view you can't make sure
code is 100% tested and 100% secure. There
On 19.11.2007, at 21:50, David Zülke wrote:
Am 18.11.2007 um 22:53 schrieb Lukas Kahwe Smith:
Stefan so what is your point then? Since neither can be 100%
secure, do not use any? Or just do not bundle either?
Yes, that is exactly the way to go. To quote Yoda (and he would
know): "Do, or
Am 18.11.2007 um 22:53 schrieb Lukas Kahwe Smith:
Stefan so what is your point then? Since neither can be 100% secure,
do not use any? Or just do not bundle either?
Yes, that is exactly the way to go. To quote Yoda (and he would know):
"Do, or do not. There is no try.". Or, in contemporary
Stefan Esser wrote:
> Hi Dan,
>> I believe the primary use case for taint mode would be to use it in
>> development: taint mode is a mode which can be turned on to give you
>> an idea of where your application may have exposed some
>> vulnerabilities; let you fix those identified vulnerabilities; t
troels knak-nielsen:
> If taint-mode is intended for testing only, it would never be
> something, which was turned on per default. Then maybe a tool such as
> php-sat ( http://www.program-transformation.org/PHP/PhpSat ) is a
> better solution? It seems to me like there is a rather big overlap
> bet
If taint-mode is intended for testing only, it would never be
something, which was turned on per default. Then maybe a tool such as
php-sat ( http://www.program-transformation.org/PHP/PhpSat ) is a
better solution? It seems to me like there is a rather big overlap
between the projects.
--
troels
Stefan Esser:
[ Charset ISO-8859-1 unsupported, converting... ]
> Wietse Venema schrieb:
> > Stefan Esser:
> >
> >> 2) Using mysql_real_escape_string() on user input does not make it safe
> >> for SQL. It only makes SQL strings safe.
> >> Example: "SELECT * FROM table WHERE id=".mysql_real_escap
On 19.11.2007, at 09:00, Stefan Esser wrote:
Wietse Venema schrieb:
Stefan Esser:
2) Using mysql_real_escape_string() on user input does not make
it safe
for SQL. It only makes SQL strings safe.
Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string
($id)
is NOT secure but wil
Wietse Venema schrieb:
> Stefan Esser:
>
>> 2) Using mysql_real_escape_string() on user input does not make it safe
>> for SQL. It only makes SQL strings safe.
>> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
>> is NOT secure but will result in no taint warning
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Stefan,
Stefan Esser wrote:
> GRASP by Coresecurity
> * pro: byte level tainting which actually works
> * negativ: slow
>
> PHP Taint mode by Wietse Venema/IBM
> * pro: faster
> * negativ: broken design+insecure
I don't see a big problem with ha
Stefan Esser:
> 2) Using mysql_real_escape_string() on user input does not make it safe
> for SQL. It only makes SQL strings safe.
> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
> is NOT secure but will result in no taint warning
Can you give a specific example? I'd lik
Stefan Esser:
[ Charset ISO-8859-15 unsupported, converting... ]
> Hi Steph,
>
> >
> > In a preliminary release for feedback purposes you talk about wrong
> > assumptions? Surely this is the whole point of having a preliminary
> > release for feedback :)
> yes of course it is preliminary. But the
The problem here is that both approaches fail to be completely secure
even when your test environment
I don't think taint mode can be truly considered as security feature.
It's rather a feature that would remind the developer he needs to think
about security. Just as an alarm clock can wake yo
AFAIK perl has variable level tainting, but does not have implicit
untainting.
Applying any regexp to tainted variable produces untainted results in Perl.
--
Stanislav Malyshev, Zend Software Architect
[EMAIL PROTECTED] http://www.zend.com/
(408)253-8829 MSN: [EMAIL PROTECTED]
--
PHP Inter
On 18.11.2007, at 22:56, Stefan Esser wrote:
This is different from the implicit untainting through htmlentities()
and mysql_real_escape_string() because there
are obviously cases where these functions are the WRONG functions and
the developer will never realise this
because he was not taught
Hello Lukas,
> I wonder how other languages solve this dilemma? Like how does Ruby's
> taint model work? What are the experience there? Are there any other
> languages that have a taint model?
I don't know exactly what they do, but if I am not completely mistaken
the difference is simple.
AFAIK p
On 18.11.2007, at 22:40, Stefan Esser wrote:
Hi Dan,
I believe the primary use case for taint mode would be to use it in
development: taint mode is a mode which can be turned on to give you
an idea of where your application may have exposed some
vulnerabilities; let you fix those identified vu
Hi Steph,
>
> In a preliminary release for feedback purposes you talk about wrong
> assumptions? Surely this is the whole point of having a preliminary
> release for feedback :)
yes of course it is preliminary. But the whole idea is flawed. It is
assumed that a single function exists that makes us
Hi Dan,
> I believe the primary use case for taint mode would be to use it in
> development: taint mode is a mode which can be turned on to give you
> an idea of where your application may have exposed some
> vulnerabilities; let you fix those identified vulnerabilities; then
> turn off for product
On 18/11/2007, Stefan Esser <[EMAIL PROTECTED]> wrote:
> Good Morning,
>
> I just wanted to ask if there was ever a decision made that said tainted
> mode will go into PHP mainstream.
>
> Currently there are two implementations available:
>
> GRASP by Coresecurity
> * pro: byte level tainting which
Hi Stefan,
I just wanted to ask if there was ever a decision made that said tainted
mode will go into PHP mainstream.
No decision as such - I believe Wietse is doing his best to find out exactly
how viable it is, no?
it seems some people want the fast implementation of Wietse in the core
w
I wonder how other languages solve this dilemma? Like how does Ruby's
taint model work? What are the experience there? Are there any other
languages that have a taint model?
Perl has. AFAIK it's variable-based.
--
Stanislav Malyshev, Zend Software Architect
[EMAIL PROTECTED] http://www.zend.c
On 18.11.2007, at 14:00, Stefan Esser wrote:
Hi Stefan,
It is therefore obvious that the GRASP way cannot be made fast and
that
Venema's implementation will always be faster.
I wonder how other languages solve this dilemma? Like how does Ruby's
taint model work? What are the experience t
The other difference is that Venema's implementation assumes that
functions exist that make a variable safe for usage in SQL, HTML, ...
When such a function is used the variable is marked as not tainted... In
the previous mail I showed examples why this is not secure.
GRASP on the other hand hook
> Also I don't know how GRASP works, but it's very difficult (if not
> impossible) to provide good analysis..
The difference between GRASP and PHP Taint Mode is that GRASP tracks
taintedness on a byte level
(it really tracks that e.g. byte 4, 7 and 8-20 of a variable are tainted
and the others not
I just wanted to ask if there was ever a decision made that said tainted
mode will go into PHP mainstream.
no, there was no decision yet.
It is no secret that I don't like the idea of a taint mode in PHP
because it cannot be made secure and fast at the same time.
/me too. Although I can't a
31 matches
Mail list logo
