PHPRO.ORG

A proposal from Wietse Venema from IBM Research has set the PHP internals tongues wagging. Wietse is the man responsible for such legendary applcations as Postfix and is co-author of the Coroner's toolkit, SATAN, and is also the original author of TCP Wrapper. Not too shabby in the credentials department. The proposal is to add basic Perl/Ruby like tainting support to PHP. (if perl has it it must be good).

The basic principal is that any data that is used without first being un-tainted, raises a flag and an alert is sent. The coder can then ensure that the data is clean or un-tainted. When a variable is untainted, it is flagged as such and would raise no alert. Initially any external data is flagged as tainted. Tainted data would not be able to used with certain operations that may change PHPs internal state, like include or eval. This would also apply externally to creating files or connecting to a database. Wietse went on to further detail a high level view of the operation.

Almost immediatly the community was upon the idea. The problems this would cause with external extensions would be overwhelming. Claims that this was just another safe-mode in claiming to able to provide a measure of security without any real substance. Over head issues would heavy and a claim that the holy grail of automatic filtering in security would not be gained here. The filter extension already addresses many of these issues, however it does not flag any data as un-tainted.

The general opinion of the community at large was that tagging data as clean may lead to a false sense of security. Automatic checks are no substitute for quality coding practices. A username and password can be un-tainted, but if they are sent via GET then there is an issue. Of course, the proposal was not universally poo-pooed and some claimed that any boost to security provides a benifit to users. Most of this noise came from the Zend camp.

How will it all end, will the IBM/Zend team have its way with PHP or will the PHP stalwarts beat some sense into them. Stay tuned for more.