-----Original Message-----
From: David Wheeler [mailto:[EMAIL PROTECTED]]
Sent: August 6, 2001 8:20 PM
To: [EMAIL PROTECTED]
Subject: [PHP-DEV] Security proposal - "SPHP" and helper functions
Dear Developers of PHP:
I have a proposal that I hope you'll like & that I think will
improve the security of PHP programs.
Shaun Clowes recently posted "A Study in Scarlet", identifying
common vulnerabilities in PHP applications; you can see it at:
http://www.securereality.com.au/studyinscarlet.txt
I agree with Rasmus Lerdorf
that several of these issues are present in other scripting languages,
and that a key issue is that you need to check input before depending on it.
However, Clowes makes some very good points too. In particular,
it's not just that PHP makes input "easier to get at".
PHP allows attackers to totally control all global variables unless the
Personally, I think that having the functions mentioned in David's post are
a great idea. These options would not only improve security by helping
people work around not having globals registered, but it would also make
data validation much simpler. Currently, I have a bigass "form_handler"
class -- which validates data, cleans it, etc, etc -- but it would be much
simpler if I had a better way to get/check some things.
-Brian Tanner
//Original Message
function get_input ($variable)
# Return value of input named variable, or "" if unset.
# This pays attention to gpc_order, and looks at
# $HTTP_COOKIE_VARS, $HTTP_GET_VARS, and $HTTP_POST_VARS
function import_variables ($list_of_variables)
# Take a list of input (field) names as strings, and import any that
exist.
function import_input_ifmatch($pattern, $list_of_variables)
# Take a list of input (field) names as strings, and import any that
exist,
# but only if they match pattern (a Perl5 pattern, see preg_match).
# The pattern wll apply to each variable in its entirety, as though
# the pattern has '\A' prepended and '\z' appended.
function import_input_int($list_of_variables)
# Take a list of input (field) names as strings, and import any that
exist
# as ints.
function import_input_double($list_of_variables)
# Take a list of input (field) names as strings, and import any that
exist
# as ints.
For your abusement, here's an implementation of import_variables:
function import_variables () {
# Take a list of input (field) names as strings, and import any that
exist.
$numargs = func_num_args();
$arg_list = func_get_args();
for ($i = 0; $i < $numargs; $i++) {
$v = $arg_list[$i];
global $$v;
$$v = get_input($v);
};
};
In SPHP, programs would generally begin with calls to these import
functions, so that programs would only import values that they wanted
(instead of trusting attackers not to create new variables), e.g.:
import_variables("name", "description");
import_input_ifmatch("yes|no", "bald");
import_input_int("age");
This is a little different than Zeev Suraski's 2001-07-29 post
(http://marc.theaimsgroup.com/?l=php-dev&m=99638994225888&w=2), because
it leaves the (less secure) mode of running PHP scripts running as-is.
Basically, this has a migration plan.
Someday in the future you might even make register_globals off
for "regular" PHP -- but this would at least give you a
transition approach. And if you're willing to change PHP to make
register_globals the default, that would be MUCH better from a security
standpoint. Even then, though, I think a set of "helper" functions to
make it easy to import "only the values we expect" is important --
developers will only write secure programs if it's easy to do the "right"
way.
Anyway, I'd like to see future versions of PHP make it easy, not hard,
to write secure programs in. I hope this email helps!
--- David A. Wheeler
[EMAIL PROTECTED]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
