Hi all, Am 15.09.2015 um 17:09 schrieb Craig Francis: > 2015-09-14 4:44 GMT+02:00 Christopher Owen <christopher.o...@live.com>: >> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. > > I would echo Kalle's suggestion of 7.1. > > But I think you will find it hard to get support... I was pushing this a few > weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even > my own suggestion), but it seems the developers are more interested in > features that make them seem cleaver, rather than pointing out their > mistakes...
the problem with taint support is to get it 100% right. If you leave one edge case open, who is to blame? PHP or the developer that was totally confident the taint support might warn him? The short but already stretched example is SQL injection that exploits character sets (see http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/12118602#12118602), slightly adapted: Your connection is initialized as UTF-8 by default: $mysqli->set_charset('utf8'); // or $mysqli->query('SET NAMES utf8'), does not matter a lot later on, you quote a string you got from the environment: $str = $mysqli->escape_string($_REQUEST['str']); and then, you recognize from your session variables the user is Chinese and you have to switch the database character set so you don't have to convert is stuff with iconv or something: $mysqli->set_charset('gbk'); $mysql->query("UPDATE xyz SET foo={$str} WHERE condition"); No problem, right? Taint does not scream, $str is perfectly secure to use in the query, it was escaped. But it is not. You can argue "use prepared statements" but that is not always possible. Or "do set your character set only once directly after you connect". But it is possible, so users will do it and be surprised if taint does not capture such problems. Having different taint classes is not enough, taint needs to hold the charset the untaint is valid for as well. I am not sure even that get all edge cases. And if not, it gets really complicated. Greets Dennis -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
