Hi!
> I’m requesting that the functions taint() and untaint() as well as
> the ability to log taint information be available in the standard
> interpreter without extensions.
Given that this feature has performance implications, and not
universally needed, I don't think this would be a good idea.
Le 19/11/2015 04:52, Christopher Owen a écrit :
I’m requesting that the functions taint() and untaint() as well as the ability
to log taint information be available in the standard interpreter without
extensions.
Christopher Owen.
On Nov 18, 2015, at 8:26 PM, Stanislav Malyshev wrote:
I’m requesting that the functions taint() and untaint() as well as the ability
to log taint information be available in the standard interpreter without
extensions.
Christopher Owen.
> On Nov 18, 2015, at 8:26 PM, Stanislav Malyshev wrote:
>
> Hi!
>
>> As discussion seems to have died out,
Hi!
> As discussion seems to have died out, I would like to propose moving
> to the next stage for inclusion of taint as a first class feature of
> php 7.1.
What is the difference between what exists now (i.e., extension) and
what you seek to do in 7.1? What do you mean by "first class feature"?
On 17/11/15 07:34, Christopher Owen wrote:
> - Including taint as a first class feature will allow for it to be available
> in future linux distribution packages of php
Any decent linux distribution already makes 'optional' extensions easy
to switch on or off. What you are actually proposing by m
Just to add to the white/black listing argument...
I would say that tainting is a whitelist approach, as everything is blocked by
default (seen as untainted), and you need to escape your variables depending on
the context they will be used in (or go out of your way to say it has already
been es
While skim reading emails (just got back from holiday), I wanted to add...
On 15 Sep 2015, at 17:23, Anthony Ferrara wrote:
> All,
>
> On Tue, Sep 15, 2015 at 11:15 AM, Arvids Godjuks
> wrote:
>> I fully support your effort to get this into the PHP to be part of core
>> extensions, or at leas
Hey:
On Thu, Sep 17, 2015 at 2:37 AM, Stanislav Malyshev wrote:
> Hi!
>
>>> Taint is blacklisting.
>>>
>> Last time I checked marking all user input as tainted and requiring
>> "untainting" before usage in sensitive functions is whitelisting and not
>> blacklisting.
>
> I would say it's neither -
Hi!
>> Taint is blacklisting.
>>
> Last time I checked marking all user input as tainted and requiring
> "untainting" before usage in sensitive functions is whitelisting and not
> blacklisting.
I would say it's neither - whitelisting is an explicit check (or fixing,
to ensure) that the input ma
Good morning,
> ==8<--
> Taint is blacklisting.
>
Last time I checked marking all user input as tainted and requiring
"untainting" before usage in sensitive functions is whitelisting and not
blacklisting.
Regards,
Stefan
--
SektionEins GmbHstefan.es...@sekti
On 9/15/2015 9:10 AM, Dennis Birkholz wrote:
Hi all,
Am 15.09.2015 um 17:09 schrieb Craig Francis:
2015-09-14 4:44 GMT+02:00 Christopher Owen :
Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it har
Hi,
Le 15/09/2015 17:09, Craig Francis a écrit :
But I think you will find it hard to get support... I was pushing this
a few weeks ago (either the one from Wietse Venema, the one from Matt
Tait, or even my own suggestion), but it seems the developers are more
interested in features that make
On 15/09/15 18:23, Anthony Ferrara wrote:
Third, it ignores context. This is related to the first two, but I
think is a separate concern. An example from the taint RFC
(https://wiki.php.net/rfc/taint) is the shell-execution. If the
variable is used in the context of command, one escape function i
All,
On Tue, Sep 15, 2015 at 11:15 AM, Arvids Godjuks
wrote:
> I fully support your effort to get this into the PHP to be part of core
> extensions, or at least one of those that keep up with the language
> releases.
> This is a very good tool to have, and you can actually run it in production
>
Hi all,
Am 15.09.2015 um 17:09 schrieb Craig Francis:
> 2015-09-14 4:44 GMT+02:00 Christopher Owen :
>> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
>
> I would echo Kalle's suggestion of 7.1.
>
> But I think you will find it hard to get support... I was pushing thi
I fully support your effort to get this into the PHP to be part of core
extensions, or at least one of those that keep up with the language
releases.
This is a very good tool to have, and you can actually run it in production
to catch things that may slipped the stating (things happen). And it's
in
2015-09-14 4:44 GMT+02:00 Christopher Owen :
> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
I would echo Kalle's suggestion of 7.1.
But I think you will find it hard to get support... I was pushing this a few
weeks ago (either the one from Wietse Venema, the one fr
> On Sep 14, 2015, at 1:35 PM, Kalle Sommer Nielsen wrote:
>
> Hi Christopher
>
> 2015-09-14 4:44 GMT+02:00 Christopher Owen :
>> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
>
> It is way too late for any extension to be included in the 7.0 release
> now, but you
Hi Christopher
2015-09-14 4:44 GMT+02:00 Christopher Owen :
> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0.
It is way too late for any extension to be included in the 7.0 release
now, but you can write an RFC targetting 7.1, please see the wiki for
more details[1].
19 matches
Mail list logo
