PHP 10.0 Blog

What if…

php -T

Posted by Stas on December 8, 2006

Perl and Ruby have variable tainting. Maybe PHP should have it too?

Approaches for Perl and Ruby are somewhat different. One difference is that in Perl you have some operations that untaint variables automagically, while in Ruby you have always to explicitly declare a variable non tainted anymore.
Also, Ruby has different levels of protection, so tainging can be light nuisance on the low level or full sandbox mode on a high level. That’s another interesting thing ot explore – using tainting to sandbox scripts. Though in PHP due to the fact that all runtime data are isolated per-request and the engine is built to support multiple requests, it might be easier to implement sandboxing in a different way, but the Ruby approach is interesting to explore.

Of course, due to the multitude of functions in PHP the approach of “mark unsafe functions” which Ruby seems to use is prone to the same failures as the safe mode – there’s always at least one function that isn’t properly restricted – so if one wants to implement proper tainting or sandboxing, it probably should be based on more generic approach that would account for existance of functions unknown in design time. It’s still not 100% as carefully miswritten extension can do anything the OS permissions allow C code to do, but some restrictions might still be done – e.g., on some security level function calls to functions not marked “safe for tainted data” with tainted arguments might be prohibited by the engine. That’d probably break 99% of the existing code, so it would come at cost in any case. But the benefit would be that once the application passes such test, we can reasonably claim certain level of security – not 100% security, but at least decent level of protection for people that do not remember to validate their data properly.

This can also be connected to zval custom info idea, as taitning flag is a good example of the custom info.

About these ads

2 Responses to “php -T”

  1. PHP 10.0 Blog: php -T (variable tainting)

  2. Lukas said

    Well we have runkit, which allows you to call and interact with a sandboxed PHP instance. Interestingly this PHP instance can be configured to any set of functions and more interestingly even could even be a different PHP version. Unfortunately performance isn’t too great at the moment .. maybe Sara will add a FastCGI like instance reuse feature to speed up performance one day ..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: