Introduction

Taint est une extension dont le but est de détecter les codes XSS. Cette extension peut être utilisée pour mettre en lumière certaines vulnérabilités concernant des injections sql, des injections shell, etc.

Lorsque taint est actif, si vous passez une chaîne non propre (provenant de $_GET, $_POST ou $_COOKIE) à des fonctions, taint vous en alertera.

Exemple #1 Exemple avec Taint()

<?php
$a
= trim($_GET['a']);

$file_name = '/tmp' . $a;
$output = "Welcome, {$a} !!!";
$var = "output";
$sql = "Select * from " . $a;
$sql .= "ooxx";

echo
$output;

print $
$var;

include
$file_name;

mysql_query($sql);
?>

Résultat de l'exemple ci-dessus est similaire à :

Warning: main() [function.echo]: Attempt to echo a string that might be tainted

Warning: main() [function.echo]: Attempt to print a string that might be tainted

Warning: include() [function.include]: File path contains data that might be tainted

Warning: mysql_query() [function.mysql-query]: SQL statement contains data that might be tainted
add a note add a note

User Contributed Notes 1 note

up
0
wolfen at gmail dot com
9 years ago
I'm wondering about the quality of this PHP extension, specifically:

1. Are there any known bugs or limitations?
2. How does enabling it affect the performance of a typical system?
3. Would I be foolish to use it in PROD? Yes, yes, I know *not* using Taint in PROD is risky, that is why I want to use it! But I need to know the risks associated with using it in order to be able to make a rational decision.

Also, is this the same as the PECL package developed by Weitse Venema following PHP RFC for Taint (https://wiki.php.net/rfc/taint) or does it differ significantly in any way?
To Top