Menu
▾
▴
Re: [PHPiCalendar-DEV] Is this a new security vuln?
|
From: Jim Hu <ji...@ta...> - 2006-03-25 07:55:57
|
On Mar 25, 2006, at 1:15 AM, Wesley Miaw wrote: > We could use the approach required by taint-mode in Perl, where any > inputs from the user must pass through your grep patterns and be > pulled into separate values from the matching values. I guess this > would work by having a separate function that is the only place in > PHP iCalendar that can access _GET, _REQUEST, or cookies, and it > will return an array of the values it has pulled out of any of > those inputs. This would isolate things and make it easy to > identify code that isn't following this rule. I think we could accomplish this by putting a module of this kind as a require_once from init.inc.php. We'd move the cookie stuff into it. I'm not very good with regex, though...so help is needed! Anyone know if there a good module we could use for this from PEAR or elsewhere? I propose that 2.2x continue to be minor tweaks of what we currently have, and this be a goal for 2.3. If danon is still working on his improved admin page, I think this will be needed. Jim > > On Mar 23, 2006, at 8:28 AM, Jim Hu wrote: >> >> Getting back to #1, we really should not be using any superglobals >> without verifying their content. I've been thinking this for a >> while. I suggest that this should be a high priority item. The >> approach I am thinking of is a script that runs early that reads >> all of these, checks their content, and throws a breakin attempt >> error if anything looks inappropriate. There are two approaches >> to this: >> >> 1) Rewrite the content of the superglobals we use. This is >> probably not a good way, since as we add code, we may add a new >> $_GET or $_REQUEST that isn't checked. >> 2) Move all the validated content into a new array $clean[$key] >> (or some other array name) and then unset the other superglobals >> after the validation script runs. This is my preferred method, >> but it means that we may frustrate people who are trying to add >> new features or customize their code. > > -- > Wesley Miaw > we...@we... > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the > live webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel |
