FAQ
Late last year I started a discussion on this list with a proposal
to add Perl/Ruby-like taint support to PHP - a feature that a
developer may turn on to find out where to insert explicit cleaning
operations to avoid code injection etc. vulnerabilities. With
applications that are explicitly written to be taint ware, taint
support may also help at run-time as an additional safety net.

In the unavoidable trade-off between performance and developer
impact, this approach minimizes the performance hit; the developer
provides the explicit cleaning operations. Other taint-for-PHP
approaches make a different trade-off; they typically avoid developer
impact altogether, but come at the cost of a larger performance hit.

After a bunch of other work that needed to be done I've resumed
work on PHP and I'm currently working on a rough prototype that
supports taint in the core and in a bunch of standard built-ins.
Overhead is minimal because it's just setting and testing a few
normally unused bits in the zval structure. I expect to get some
actual performance data once the implementation is complete enough,
and to have a first implementation out the door sometime in September.

Wietse

Search Discussions

  • Guilherme Blanco at Aug 10, 2007 at 12:37 am
    Hi,

    It seems you had an interesting idea, but AFAIK it'll not incorporated
    in core by PHP Team.
    Yeah, sounds bad, but you cannot simply turn all variables into
    objects and try to get them.

    Seems you're trying something like that:

    $_GET['foo']->asString(); // echo: Bar

    This will never happen, PHP will not change its behavior to fullfil it.
    I already thought like you and I even spent some time to develop a
    tool to simplify my job. The concept you try to implement is named
    Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
    again... do not tell me this is like Pokémon.

    I already asked here when I was developing this feature about a
    limitation PHP currently has, but this is not the current discussion.

    Just to let you know, if you are thinking to do something as I already
    showed you as example, forget it. If you are trying something
    different, like:

    taint_string( $_GET['foo'] ); // echo: Bar

    Then you need to think correctly what do you want to achieve. There
    are zillions of PHP applications running out there and none of them
    will be converted to use taint-package.

    The first example illustrate how the PHP should behavior with a taint
    extension; and access the data directly: $_GET['foo'] should throw an
    error.

    My idea: Keep things simple and validate all your data using PHP. You
    do not have to go "behind the scenes" and create a C library to
    achieve it.

    If you are interested, I already implemented the PokaYoke approach and
    I put it available for you at:
    http://blog.bisna.com/files/PokaYoke.zip
    I also published the running package: http://blog.bisna.com/files/PokaYoke/
    Take a look at the examples... I published the phps files if you are
    lazy and do not want to download the zip file. You can incorporate the
    module and keep it project specific.
    My implementation was never being released to public, but it works as
    expected. It's better to make a project specific feature and use it
    instead of try to create a module.


    Best regards,

    On 8/9/07, Wietse Venema wrote:
    Late last year I started a discussion on this list with a proposal
    to add Perl/Ruby-like taint support to PHP - a feature that a
    developer may turn on to find out where to insert explicit cleaning
    operations to avoid code injection etc. vulnerabilities. With
    applications that are explicitly written to be taint ware, taint
    support may also help at run-time as an additional safety net.

    In the unavoidable trade-off between performance and developer
    impact, this approach minimizes the performance hit; the developer
    provides the explicit cleaning operations. Other taint-for-PHP
    approaches make a different trade-off; they typically avoid developer
    impact altogether, but come at the cost of a larger performance hit.

    After a bunch of other work that needed to be done I've resumed
    work on PHP and I'm currently working on a rough prototype that
    supports taint in the core and in a bunch of standard built-ins.
    Overhead is minimal because it's just setting and testing a few
    normally unused bits in the zval structure. I expect to get some
    actual performance data once the implementation is complete enough,
    and to have a first implementation out the door sometime in September.

    Wietse

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php

    --
    Guilherme Blanco - Web Developer
    CBC - Certified Bindows Consultant
    Cell Phone: +55 (16) 9166-6902
    MSN: guilhermeblanco@hotmail.com
    URL: http://blog.bisna.com
    São Carlos - SP/Brazil
  • Richard Quadling at Aug 10, 2007 at 7:34 am

    On 10/08/07, Guilherme Blanco wrote:
    Hi,

    It seems you had an interesting idea, but AFAIK it'll not incorporated
    in core by PHP Team.
    Yeah, sounds bad, but you cannot simply turn all variables into
    objects and try to get them.

    Seems you're trying something like that:

    $_GET['foo']->asString(); // echo: Bar

    This will never happen, PHP will not change its behavior to fullfil it.
    I already thought like you and I even spent some time to develop a
    tool to simplify my job. The concept you try to implement is named
    Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
    again... do not tell me this is like Pokémon.

    I already asked here when I was developing this feature about a
    limitation PHP currently has, but this is not the current discussion.

    Just to let you know, if you are thinking to do something as I already
    showed you as example, forget it. If you are trying something
    different, like:

    taint_string( $_GET['foo'] ); // echo: Bar

    Then you need to think correctly what do you want to achieve. There
    are zillions of PHP applications running out there and none of them
    will be converted to use taint-package.

    The first example illustrate how the PHP should behavior with a taint
    extension; and access the data directly: $_GET['foo'] should throw an
    error.

    My idea: Keep things simple and validate all your data using PHP. You
    do not have to go "behind the scenes" and create a C library to
    achieve it.

    If you are interested, I already implemented the PokaYoke approach and
    I put it available for you at:
    http://blog.bisna.com/files/PokaYoke.zip
    I also published the running package: http://blog.bisna.com/files/PokaYoke/
    Take a look at the examples... I published the phps files if you are
    lazy and do not want to download the zip file. You can incorporate the
    module and keep it project specific.
    My implementation was never being released to public, but it works as
    expected. It's better to make a project specific feature and use it
    instead of try to create a module.


    Best regards,

    On 8/9/07, Wietse Venema wrote:
    Late last year I started a discussion on this list with a proposal
    to add Perl/Ruby-like taint support to PHP - a feature that a
    developer may turn on to find out where to insert explicit cleaning
    operations to avoid code injection etc. vulnerabilities. With
    applications that are explicitly written to be taint ware, taint
    support may also help at run-time as an additional safety net.

    In the unavoidable trade-off between performance and developer
    impact, this approach minimizes the performance hit; the developer
    provides the explicit cleaning operations. Other taint-for-PHP
    approaches make a different trade-off; they typically avoid developer
    impact altogether, but come at the cost of a larger performance hit.

    After a bunch of other work that needed to be done I've resumed
    work on PHP and I'm currently working on a rough prototype that
    supports taint in the core and in a bunch of standard built-ins.
    Overhead is minimal because it's just setting and testing a few
    normally unused bits in the zval structure. I expect to get some
    actual performance data once the implementation is complete enough,
    and to have a first implementation out the door sometime in September.

    Wietse

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php

    --
    Guilherme Blanco - Web Developer
    CBC - Certified Bindows Consultant
    Cell Phone: +55 (16) 9166-6902
    MSN: guilhermeblanco@hotmail.com
    URL: http://blog.bisna.com
    São Carlos - SP/Brazil
    Marco Tabini wrote a great article in php|Architect (Vol 5 Iss 2 Feb
    2006 Pgs 16-24) on Poka Yoke.

    http://www.phparch.com/issue.php?mid=74

    --
    -----
    Richard Quadling
    Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
    "Standing on the shoulders of some very clever giants!"
  • Guilherme Blanco at Aug 10, 2007 at 4:02 pm
    Hi,

    @Graham: It will probably be one of the two:
    1- Overwrite the superglobal indexes ( $_GET['foo']->asFloat() )
    2- Use a method/class to taint the value ( taint_float( $_GET['foo'] ) )
    I illustrated both and why both have their drawback.

    @Richard: I already read the Marco's article. My implementation is
    another implementation of what he suggested and also with some new
    features.
    Anyway, that's a good reference to everyone that wants to know a
    little bit more about this approach.


    Regards,
    On 8/10/07, Richard Quadling wrote:
    On 10/08/07, Guilherme Blanco wrote:
    Hi,

    It seems you had an interesting idea, but AFAIK it'll not incorporated
    in core by PHP Team.
    Yeah, sounds bad, but you cannot simply turn all variables into
    objects and try to get them.

    Seems you're trying something like that:

    $_GET['foo']->asString(); // echo: Bar

    This will never happen, PHP will not change its behavior to fullfil it.
    I already thought like you and I even spent some time to develop a
    tool to simplify my job. The concept you try to implement is named
    Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
    again... do not tell me this is like Pokémon.

    I already asked here when I was developing this feature about a
    limitation PHP currently has, but this is not the current discussion.

    Just to let you know, if you are thinking to do something as I already
    showed you as example, forget it. If you are trying something
    different, like:

    taint_string( $_GET['foo'] ); // echo: Bar

    Then you need to think correctly what do you want to achieve. There
    are zillions of PHP applications running out there and none of them
    will be converted to use taint-package.

    The first example illustrate how the PHP should behavior with a taint
    extension; and access the data directly: $_GET['foo'] should throw an
    error.

    My idea: Keep things simple and validate all your data using PHP. You
    do not have to go "behind the scenes" and create a C library to
    achieve it.

    If you are interested, I already implemented the PokaYoke approach and
    I put it available for you at:
    http://blog.bisna.com/files/PokaYoke.zip
    I also published the running package: http://blog.bisna.com/files/PokaYoke/
    Take a look at the examples... I published the phps files if you are
    lazy and do not want to download the zip file. You can incorporate the
    module and keep it project specific.
    My implementation was never being released to public, but it works as
    expected. It's better to make a project specific feature and use it
    instead of try to create a module.


    Best regards,

    On 8/9/07, Wietse Venema wrote:
    Late last year I started a discussion on this list with a proposal
    to add Perl/Ruby-like taint support to PHP - a feature that a
    developer may turn on to find out where to insert explicit cleaning
    operations to avoid code injection etc. vulnerabilities. With
    applications that are explicitly written to be taint ware, taint
    support may also help at run-time as an additional safety net.

    In the unavoidable trade-off between performance and developer
    impact, this approach minimizes the performance hit; the developer
    provides the explicit cleaning operations. Other taint-for-PHP
    approaches make a different trade-off; they typically avoid developer
    impact altogether, but come at the cost of a larger performance hit.

    After a bunch of other work that needed to be done I've resumed
    work on PHP and I'm currently working on a rough prototype that
    supports taint in the core and in a bunch of standard built-ins.
    Overhead is minimal because it's just setting and testing a few
    normally unused bits in the zval structure. I expect to get some
    actual performance data once the implementation is complete enough,
    and to have a first implementation out the door sometime in September.

    Wietse

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php

    --
    Guilherme Blanco - Web Developer
    CBC - Certified Bindows Consultant
    Cell Phone: +55 (16) 9166-6902
    MSN: guilhermeblanco@hotmail.com
    URL: http://blog.bisna.com
    São Carlos - SP/Brazil
    Marco Tabini wrote a great article in php|Architect (Vol 5 Iss 2 Feb
    2006 Pgs 16-24) on Poka Yoke.

    http://www.phparch.com/issue.php?mid=74

    --
    -----
    Richard Quadling
    Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
    "Standing on the shoulders of some very clever giants!"

    --
    Guilherme Blanco - Web Developer
    CBC - Certified Bindows Consultant
    Cell Phone: +55 (16) 9166-6902
    MSN: guilhermeblanco@hotmail.com
    URL: http://blog.bisna.com
    São Carlos - SP/Brazil
  • Richard Quadling at Aug 10, 2007 at 7:38 am

    On 10/08/07, Guilherme Blanco wrote:
    Hi,

    It seems you had an interesting idea, but AFAIK it'll not incorporated
    in core by PHP Team.
    Yeah, sounds bad, but you cannot simply turn all variables into
    objects and try to get them.

    Seems you're trying something like that:

    $_GET['foo']->asString(); // echo: Bar

    This will never happen, PHP will not change its behavior to fullfil it.
    I already thought like you and I even spent some time to develop a
    tool to simplify my job. The concept you try to implement is named
    Poka-Yoke (http://en.wikipedia.org/wiki/Poka_yoke) - and please
    again... do not tell me this is like Pokémon.

    I already asked here when I was developing this feature about a
    limitation PHP currently has, but this is not the current discussion.

    Just to let you know, if you are thinking to do something as I already
    showed you as example, forget it. If you are trying something
    different, like:

    taint_string( $_GET['foo'] ); // echo: Bar

    Then you need to think correctly what do you want to achieve. There
    are zillions of PHP applications running out there and none of them
    will be converted to use taint-package.

    The first example illustrate how the PHP should behavior with a taint
    extension; and access the data directly: $_GET['foo'] should throw an
    error.

    My idea: Keep things simple and validate all your data using PHP. You
    do not have to go "behind the scenes" and create a C library to
    achieve it.

    If you are interested, I already implemented the PokaYoke approach and
    I put it available for you at:
    http://blog.bisna.com/files/PokaYoke.zip
    I also published the running package: http://blog.bisna.com/files/PokaYoke/
    Take a look at the examples... I published the phps files if you are
    lazy and do not want to download the zip file. You can incorporate the
    module and keep it project specific.
    My implementation was never being released to public, but it works as
    expected. It's better to make a project specific feature and use it
    instead of try to create a module.


    Best regards,

    On 8/9/07, Wietse Venema wrote:
    Late last year I started a discussion on this list with a proposal
    to add Perl/Ruby-like taint support to PHP - a feature that a
    developer may turn on to find out where to insert explicit cleaning
    operations to avoid code injection etc. vulnerabilities. With
    applications that are explicitly written to be taint ware, taint
    support may also help at run-time as an additional safety net.

    In the unavoidable trade-off between performance and developer
    impact, this approach minimizes the performance hit; the developer
    provides the explicit cleaning operations. Other taint-for-PHP
    approaches make a different trade-off; they typically avoid developer
    impact altogether, but come at the cost of a larger performance hit.

    After a bunch of other work that needed to be done I've resumed
    work on PHP and I'm currently working on a rough prototype that
    supports taint in the core and in a bunch of standard built-ins.
    Overhead is minimal because it's just setting and testing a few
    normally unused bits in the zval structure. I expect to get some
    actual performance data once the implementation is complete enough,
    and to have a first implementation out the door sometime in September.

    Wietse

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php

    --
    Guilherme Blanco - Web Developer
    CBC - Certified Bindows Consultant
    Cell Phone: +55 (16) 9166-6902
    MSN: guilhermeblanco@hotmail.com
    URL: http://blog.bisna.com
    São Carlos - SP/Brazil
    Marco Tabini wrote a great article in php|Architect (Vol 5 Iss 2 Feb
    2006 Pgs 16-24) on Poka Yoke.



    --
    -----
    Richard Quadling
    Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
    "Standing on the shoulders of some very clever giants!"

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedAug 9, '07 at 10:44p
activeAug 10, '07 at 4:02p
posts5
users3
websitephp.net

People

Translate

site design / logo © 2022 Grokbase