Re: [PHP-DEV] taint as a first-class feature for php 7.1

Le 19/11/2015 04:52, Christopher Owen a écrit : I’m requesting that the functions taint() and untaint() as well as the ability to log taint information be available in the standard interpreter without extensions. Christopher Owen. On Nov 18, 2015, at 8:26 PM, Stanislav Malyshev

Re: [PHP-DEV] taint as a first-class feature for php 7.1

Hi! > I’m requesting that the functions taint() and untaint() as well as > the ability to log taint information be available in the standard > interpreter without extensions. Given that this feature has performance implications, and not universally needed, I don't think this would be a good

Re: [PHP-DEV] taint as a first-class feature for php 7.1

Hi! > As discussion seems to have died out, I would like to propose moving > to the next stage for inclusion of taint as a first class feature of > php 7.1. What is the difference between what exists now (i.e., extension) and what you seek to do in 7.1? What do you mean by "first class feature"?

Re: [PHP-DEV] taint as a first-class feature for php 7.1

I’m requesting that the functions taint() and untaint() as well as the ability to log taint information be available in the standard interpreter without extensions. Christopher Owen. > On Nov 18, 2015, at 8:26 PM, Stanislav Malyshev wrote: > > Hi! > >> As discussion

Re: [PHP-DEV] taint as a first-class feature for php 7.1

On 17/11/15 07:34, Christopher Owen wrote: > - Including taint as a first class feature will allow for it to be available > in future linux distribution packages of php Any decent linux distribution already makes 'optional' extensions easy to switch on or off. What you are actually proposing by

Re: [PHP-DEV] taint

Just to add to the white/black listing argument... I would say that tainting is a whitelist approach, as everything is blocked by default (seen as untainted), and you need to escape your variables depending on the context they will be used in (or go out of your way to say it has already been

Re: [PHP-DEV] taint

While skim reading emails (just got back from holiday), I wanted to add... On 15 Sep 2015, at 17:23, Anthony Ferrara wrote: > All, > > On Tue, Sep 15, 2015 at 11:15 AM, Arvids Godjuks > wrote: >> I fully support your effort to get this into the

Re: [PHP-DEV] taint

Hey: On Thu, Sep 17, 2015 at 2:37 AM, Stanislav Malyshev wrote: > Hi! > >>> Taint is blacklisting. >>> >> Last time I checked marking all user input as tainted and requiring >> "untainting" before usage in sensitive functions is whitelisting and not >> blacklisting. > > I

Re: [PHP-DEV] taint

Hi, Le 15/09/2015 17:09, Craig Francis a écrit : But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one from Wietse Venema, the one from Matt Tait, or even my own suggestion), but it seems the developers are more interested in features that make

Re: [PHP-DEV] taint

On 9/15/2015 9:10 AM, Dennis Birkholz wrote: Hi all, Am 15.09.2015 um 17:09 schrieb Craig Francis: 2015-09-14 4:44 GMT+02:00 Christopher Owen : Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. I would echo Kalle's suggestion of 7.1. But

Re: [PHP-DEV] taint

Good morning, > ==8<-- > Taint is blacklisting. > Last time I checked marking all user input as tainted and requiring "untainting" before usage in sensitive functions is whitelisting and not blacklisting. Regards, Stefan -- SektionEins GmbH

Re: [PHP-DEV] taint

Hi! >> Taint is blacklisting. >> > Last time I checked marking all user input as tainted and requiring > "untainting" before usage in sensitive functions is whitelisting and not > blacklisting. I would say it's neither - whitelisting is an explicit check (or fixing, to ensure) that the input

Re: [PHP-DEV] taint

On 15/09/15 18:23, Anthony Ferrara wrote: Third, it ignores context. This is related to the first two, but I think is a separate concern. An example from the taint RFC (https://wiki.php.net/rfc/taint) is the shell-execution. If the variable is used in the context of command, one escape function

Re: [PHP-DEV] taint

I fully support your effort to get this into the PHP to be part of core extensions, or at least one of those that keep up with the language releases. This is a very good tool to have, and you can actually run it in production to catch things that may slipped the stating (things happen). And it's

Re: [PHP-DEV] taint

Hi all, Am 15.09.2015 um 17:09 schrieb Craig Francis: > 2015-09-14 4:44 GMT+02:00 Christopher Owen : >> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. > > I would echo Kalle's suggestion of 7.1. > > But I think you will find it hard to get

Re: [PHP-DEV] taint

All, On Tue, Sep 15, 2015 at 11:15 AM, Arvids Godjuks wrote: > I fully support your effort to get this into the PHP to be part of core > extensions, or at least one of those that keep up with the language > releases. > This is a very good tool to have, and you can

Re: [PHP-DEV] taint

2015-09-14 4:44 GMT+02:00 Christopher Owen : > Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. I would echo Kalle's suggestion of 7.1. But I think you will find it hard to get support... I was pushing this a few weeks ago (either the one

Re: [PHP-DEV] taint

> On Sep 14, 2015, at 1:35 PM, Kalle Sommer Nielsen wrote: > > Hi Christopher > > 2015-09-14 4:44 GMT+02:00 Christopher Owen : >> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. > > It is way too late for any extension to be

Re: [PHP-DEV] taint

Hi Christopher 2015-09-14 4:44 GMT+02:00 Christopher Owen : > Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. It is way too late for any extension to be included in the 7.0 release now, but you can write an RFC targetting 7.1, please see the