| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| rfc:taint [2008/07/06 23:06] – wietse | rfc:taint [2010/01/08 21:11] – external edit 127.0.0.1 |
|---|
| ====== Taint support for PHP ====== | ====== Taint support for PHP ====== |
| |
| * **Author:** Wietse Venema (wietse@porcupine.org) \\ IBM T.J. Watson Research Center \\ Hawthorne, NY, USA | * **Author:** [[http://www.porcupine.org/wietse/|Wietse Venema (wietse@porcupine.org)]] \\ IBM T.J. Watson Research Center \\ Hawthorne, NY, USA |
| * **Version:** 20080622 | * **Version:** 20080622 |
| * **Source code:** [[ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080622.tar.gz|tar.gz]] ([[ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080622.tar.gz.sig|pgp signature]]) | * **Source code:** [[ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080622.tar.gz|tar.gz]] ([[ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080622.tar.gz.sig|pgp signature]]) |
| * **Win32 binaries:** [[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-win32-installer.msi|installer]] ([[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-win32-installer.msi.sig|pgp signature]]) | [[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-Win32.zip|zip file]] ([[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-Win32.zip.sig|pgp signature]]) | * **Win32 binaries:** [[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-win32-installer.msi|installer]] ([[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-win32-installer.msi.sig|pgp signature]]) | [[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-Win32.zip|zip file]] ([[ftp://ftp.porcupine.org/pub/php/.win32/php-5.2.5-taint-20080622-Win32.zip.sig|pgp signature]]) |
| | * **Mailing list: ** [[http://marc.info/?l=php-internals|PHP internals]] |
| * **Miscellaneous: ** [[ftp://ftp.porcupine.org/pub/php/CHANGELOG|Change log]] [[ftp://ftp.porcupine.org/pub/php/LICENSE|License]] [[ftp://ftp.porcupine.org/pub/php/wietse-public-key.pgp|pgp public key]] | * **Miscellaneous: ** [[ftp://ftp.porcupine.org/pub/php/CHANGELOG|Change log]] [[ftp://ftp.porcupine.org/pub/php/LICENSE|License]] [[ftp://ftp.porcupine.org/pub/php/wietse-public-key.pgp|pgp public key]] |
| * **Status:** In the works | * **Status:** In the works |
| | |
| |
| ===== Introduction ===== | ===== Introduction ===== |
| ===== What has been implemented sofar ===== | ===== What has been implemented sofar ===== |
| |
| I have built taint support with the following server APIs: cli, cgi; apache1, apache2 and apache2filter plug-in; and with the the following extensions: mysqli, mysql and mbstring. Other server APIs and extensions will follow as time permits. | I have implemented taint support with the following server APIs: cli, cgi; apache1, apache2 and apache2filter plug-in; and with the the following extensions: mysqli, mysql and mbstring. Other server APIs and extensions will follow as time permits. |
| |
| What about the other extensions? The other extensions will work just fine as long as you leave "taint_error_level" at its default setting. They may trigger false warnings when you raise the taint error level, because they don't know how to properly initialize certain bits that taint support relies on. This problem should not exist, but unfortunately there is a lot of PHP source code that does not use standard macros when initializing PHP data structures. | What about the other extensions? The other extensions will work just fine as long as you leave "taint_error_level" at its default setting. They may trigger false warnings when you raise the taint error level, because they don't know how to properly initialize certain bits that taint support relies on. This problem should not exist, but unfortunately there is a lot of PHP source code that does not use standard macros when initializing PHP data structures. |
| |
| Extensions that haven't been updated with taint support will ignore taint information in their inputs, and will therefore not propagate taint information from their inputs to their outputs. | Extensions that haven't been updated with taint support will ignore taint information in their inputs, and will therefore not propagate taint information from their inputs to their outputs. |
| | |
| ===== Using taint support with real PHP applications ===== | ===== Using taint support with real PHP applications ===== |
| |