Stanislav Malyshev wrote:
Then I see little need for having in PHP. All it means that developers
now need to write a untaint wrapper around all incoming input to shut
PHP annoyances up. I can guarantee you a tons and tons of code that
No, they need to use recommended ways to work with variables - like
filters and other untainters.
If a frequent use case is to accept some input, store it in a database
and output it in HTML, then you will only get the benefit of taint once,
and more importantly you will potentially be less alert to catch the
potential security issues for the second.
If only return values of functions could be untainted, then you would
not need the context, but then it would be unpractical.
The other option is to establish the best practice of always using the
original untainted value when dealing with a new context. This means you
would use the $_REQUEST values in order to build up the query and then
when you build up the HTML. But again this may be unpractical, as you
may need to massage/sanitize the input slightly. Now its not only having
to escape the data for the given context, but you also have to reapply
some custom business logic as to how the massaging of the data is to
work. I am less concerned about the performance impact, but more about
the fact that this then opens up a new class of errors, where data
displayed in one context does not match the data stored in another. So
by solving the security issue, you jeopardize the functionality.
So my conclusion at this point is, that very frequently taint will not
improve the security significantly because any given input will still be
usable in an unfiltered/incorrectly filtered way for at least one
context. As such it just adds code at the very core of php that provides
too little of a benefit to be worthwhile.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
