Hello,
On 12/20/06, Stanislav Malyshev <[EMAIL PROTECTED]> wrote:
> output to browser, output to system (console/whatever else), sql, xml,
> streams, etc... all of them require special attentions.
Hello, safe mode 2.0! :)
Seriously, I do not think tainting is made for that - and we will have a
ton of trouble trying to describe what is "safe for SQL" (is it for
MySQL? Oracle? DB2? sqlite? a ton of other SQLs each with own quirks and
quoting rules?) and what is "safe for output" (is it OK to output HTML
tags?). Tainting mode, as I see it, is meant to achieve exactly one
simple task - force you (as much as it can) to take explicit action on
sanitizing the parameters before they can do any harm. I do not think it
should make you use any specific way of sanitizing or check data for
anything specific - this is impossible without domain-specific
knowledge. This is task for filters and yes - for you as a developer.
Tainting mode only makes sure for you that you do you job.
That's exactly my point. Thanks to confirm it (asking what I know helps ;-)
One possible way to be sure developers do their jobs (or are forced to):
- set a strict default filter
- disable GPCES super globals, they will not exist anymore
It is one step more than the current filter approach but it helps a
lot. The developers have to worry about GPCES as they are not
available anymore, not outside the filter functions (a big break, but
a necessary one imho, dreaming...).
> I do not want the mode 3, for the reasons I explained earlier. I also
Actually, I do. Especially if I had some legacy non-filtering
application which I wanted to secure. I would prefer to break it hard
and then assemble the pieces in the correct way, rather than play
find-the-next-hole.
Same comment as before, drop all GPCES usages. This is a typical
situtation, something like what Rasmus described in his post about Y!
policy.
> think many developers have the same reasons against it. It will be
> enabled by default by many ISP and will bring back the pain of
> safe_mode.
It is not like safe mode, and I explained about dozen times what is the
main difference. Please read it. We are going in circles here.
I was not clear, I did not say it is like safe_mode: I said that this
mode 3 will bring the same amount of WTF than safe_mode in production
servers (ISP).
--Pierre
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
