Re: [fw-general] Zend guru advise on how to build a secure function - could we make a proposal out of this ?

Thu, 03 Mar 2011 17:57:00 -0800 

Hey Zladivliba,


Here's my point : if you only autohrize "abcdefghijklmnopqrsquvwxyz" + '0123456789' 
+ ".,;:()/[] '
I'm pretty sure there's no way to make an attack, xss or sql injection.
- You can't make a sql injection because you need "\" to do this and if you escape all 
user input (" and ') you're ok- You can't make a xss because you need < and > to do it.



As stated before, this is not a practical thing to be done in a single function. 
While you might be escaping this for one stream (HTML), the rules for the 
language are different for another language (SQL). The key is to validate your 
input via Zend/Validate/* and escaping your data properly per the rules of the 
language. Escaping data against multiple streams in the same context can have 
unexpected results.



Now doing so I'm just applying one very basic principle of security : remove 
everything you don't absolutely need.
What I miss is *how* to build such a function that would filter all these 
chars. And I'd love a little help on this side



The functionality is already there. Zend/Validate/* have a lot of common methods 
for validating data, whereas Zend_Json is for JavaScript, Zend_View::escape for 
HTML, and Zend/Db/Adapter/* for SQL.



I don't know of any vulns in htmlPurifier although I can tell you for sure 
there are undiscovered
vulnerabilities, this is just a matter of statistics. The more code you have 
the more vulns you have
too. The more complex the machine, the more vulns you have. Even if the guys 
who wrote it are
probably high end security professionals.



So, does this mean you are against htmlPurifier simply because of "undiscovered 
vulnerabilities"? If you fear something being insecure simply because of its 
undiscovered fault, then that probably isn't the best rout to go about 
evaluating things. In my experiences, products that are tried and true are much 
better at doing what you ask when they've undergone public scrutiny (OSS++).




Finally: Is your goal to build a security enterprise or something more 
security-related? If so, I recommend taking this topic up with the OWASP Mailing 
list <https://lists.owasp.org/mailman/listinfo>, as there will be more advanced 
security experts there who can help you out in further detail. Otherwise, what 
can we do to help you with ZF-related issues?


Regards,
-Kizano
//-----
Information Security
eMail: [email protected]
http://www.markizano.net/

























					Reply via email to