Re: [PHPiCalendar-DEV] Is this a new security vuln?

[Wesley M. <we...@we...>]

We could use the approach required by taint-mode in Perl, where any  
inputs from the user must pass through your grep patterns and be  
pulled into separate values from the matching values. I guess this  
would work by having a separate function that is the only place in  
PHP iCalendar that can access _GET, _REQUEST, or cookies, and it will  
return an array of the values it has pulled out of any of those  
inputs. This would isolate things and make it easy to identify code  
that isn't following this rule.

On Mar 23, 2006, at 8:28 AM, Jim Hu wrote:
>
> Getting back to #1, we really should not be using any superglobals  
> without verifying their content.  I've been thinking this for a  
> while.  I suggest that this should be a high priority item.  The  
> approach I am thinking of is a script that runs early that reads  
> all of these, checks their content, and throws a breakin attempt  
> error if anything looks inappropriate.  There are two approaches to  
> this:
>
> 1) Rewrite the content of the superglobals we use.  This is  
> probably not a good way, since as we add code, we may add a new  
> $_GET or $_REQUEST that isn't checked.
> 2) Move all the validated content into a new array $clean[$key] (or  
> some other array name) and then unset the other superglobals after  
> the validation script runs.  This is my preferred method, but it  
> means that we may frustrate people who are trying to add new  
> features or customize their code.

--
Wesley Miaw
we...@we...