Chris Shiflett schreef:
> On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
>
>> I'm reading "Essential PHP Security" by Chris Shiflett.
>>
>> on the very beginning, page 5 & 6, if I got it correct, he said this
>> is not good:
>>
>> $search = isset($_GET['search']) ? $_GET['search'] : '';
>>
>> and this is good:
>>
>> $search = '';
>> if (isset($_GET['search']))
>> {
>> $search = $_GET['search'];
>> }
>>
>> what's the difference? I really can't see?
>
> I believe I was trying to emphasize how simple, obvious code can be a
> boon to security. I'm sure I could have picked a better example, but let
> me show you a line of code I noticed in a security audit just yesterday
> (only the variable name has been changed to be generic):
>
> $host = strlen($host) > 0 ? $host : htmlentities($host);
>
> We have developed tools to help us find things like this, but imagine
> you're manually reviewing a colleague's code, and you're looking through
> a few thousand lines to try to help identify security problems.
>
> In this particular example, my first thought was to suggest specifying
> the character encoding when using htmlentities(), and making sure this
> matches the Content-Type header, to avoid things like this:
>
> http://shiflett.org/blog/2005/dec/google-xss-example
>
> You might also be distracted by the comparison of strlen() to 0, since
> it seems like you could simply rely on a boolean evaluation of strlen()
> instead.
>
> Can you spot the bigger problem?
>
> The order is reversed, so if $host has a non-zero length, it is not
> escaped.
first thing that I noticed, second wondering why no charset was specified,
thirdly was wondering why it's not plain:
$host = htmlentities($host);
but nonetheless your point stands, :-)
now about that charset ... your blog post uses UTF-7 to demonstrate the
potential for problems ... but htmlentities() doesn't support that charset,
or at least not according to the docs, in fact the list of supported charsets
is quite limited, out of curiosity what would your recommendation be
if one is faced with a having 'htmlentize' a string encoded in UTF-7 or
some other charset not supported by htmlentities() ?
a second question: strip_tags() doesn't have a charset parameter, how does
it manage to cope without knowing the input string encoding? or does it
not and is it actually vulnerable to maliciously encoded input?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
