Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey...
Transcript of Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey...
![Page 1: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/1.jpg)
Filtering Tainted Data:ext/filter vs. Zend_Filter
Ben RamseyInternational PHP Conference
8 November 2006
![Page 2: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/2.jpg)
Welcome
• BenRamsey.com
• I work for Art & Logic, Inc.
• PHP 5 CertificationStudy Guide author
• Organizer of AtlantaPHP user group
2
![Page 3: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/3.jpg)
Overview
• Filtering Input
• Zend_Filter_Input
• ext/filter
• Filtering Tips
3
![Page 4: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/4.jpg)
Filtering Input
4
![Page 5: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/5.jpg)
Why Filter Input?
5
• Input comes from everywhere
• You cannot control the origin of input
• They’re sending all kinds of input
• Thus, you can’t trust the data
• You don’t want to accept bad or incorrect data
![Page 6: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/6.jpg)
What Is Filtering?
• Data inspection process
• By which you validate input according to your data model
• You can choose to accept or reject the input if it doesn’t match your model
6
![Page 7: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/7.jpg)
Where To Filter?
• Client-side?
• All client-side filtering can be circumvented
• Server-side?
• Best place to filter; not so user-friendly
• Both?
• Client-side provides good user experience
• Server-side ensures good data
7
![Page 8: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/8.jpg)
Filtering Methodologies
• Blacklist filtering
• Whitelist filtering
• Sanitizing data
8
![Page 9: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/9.jpg)
Blacklist Filtering
• Negative filtering
• “I know what data I don’t want to allow”
• Block input based on a list of unacceptable values
• Must continually add to this list as you discover new unacceptable values
9
![Page 10: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/10.jpg)
Whitelist Filtering
• Positive filtering
• “I know what data I do want to allow”
• Accept input based on a list of acceptable values
• Benefit: you always know what you want to accept
10
![Page 11: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/11.jpg)
Sanitizing
• Lenient “filtering”
• Two approaches:
• Blacklist: “I’ll accept everything and strip out what I don’t want”
• Whitelist: “I’ll accept everything and extract only what I do want”
• Though the input is sanitized, it may not be good data
11
![Page 12: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/12.jpg)
Filtering Practices
• Opt-in filtering
• Opt-out filtering
12
![Page 13: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/13.jpg)
Opt-In Filtering
• All input is unfiltered to begin with
• You choose when you want to filter data
• Nothing to stop you or your development team from using unfiltered data
• Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable
13
![Page 14: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/14.jpg)
Opt-Out Filtering
• Everything is filtered by default
• No access to unfiltered data except by choice
• No accidental usage of $_GET, $_POST, etc.
• You must make a conscious decision to opt-out of the filtering and get raw data
14
![Page 15: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/15.jpg)
Enforce Opt-out Filtering
• Ensures that you and your development team cannot accidently access unfiltered input
• Must consciously decide to use raw data
• PHP does not do this by default, nor does Zend_Filter_Input or ext/filter
• I’ll show you how
15
![Page 16: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/16.jpg)
Zend_Filter_Input
16
![Page 17: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/17.jpg)
Zend_Filter_Input Philosophy
17
• Filter from the application level
• Opt-out filtering
• Not enforced by default
• Whitelist filtering
• Provides sanitizing methods, if desired
![Page 18: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/18.jpg)
Quick Example
18
![Page 19: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/19.jpg)
Set Up Opt-out Environment
19
![Page 20: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/20.jpg)
Method Types
• no*() methods
• Blacklist sanitizers
• get*() methods
• Whitelist sanitizers
• test*() methods
• Whitelist filters
20
![Page 21: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/21.jpg)
no*() Methods
• noPath() — returns basename(value)
• noTags() — strips all tags from value
21
![Page 22: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/22.jpg)
get*() Methods
• getAlnum() — returns only alphanumeric chars
• getAlpha() — returns only alphabetic chars
• getDigits() — returns only digits
• getDir() — returns dirname(value)
• getInt() — returns (int) value
• getPath() — returns realpath(value)
• getRaw() — returns original value (opt-out)
22
![Page 23: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/23.jpg)
test*() Methods
• testAlnum()
• testAlpha()
• testBetween()
• testCcnum()
• testDate()
• testDigits()
• testEmail()
23
![Page 24: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/24.jpg)
test*() Methods
• testFloat()
• testGreaterThan()
• testHex()
• testHostname()
• testInt()
• testIp()
• testLessThan()
24
![Page 25: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/25.jpg)
test*() Methods
• testName()
• testOneOf()
• testPhone()
• testRegex()
• testZip()
25
![Page 26: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/26.jpg)
Extended Example
• Typical form that asks for information
• Use Zend_Filter_Input to filter the values for the following types of data:
• name == alphabetic stringage == integer with min and maxwebsite == valid URL formate-mail == valid e-mail formatcolor == one of red, blue, or green
26
![Page 27: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/27.jpg)
27
form.html
![Page 28: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/28.jpg)
28
FormController.php
![Page 29: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/29.jpg)
ext/filter
29
![Page 30: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/30.jpg)
ext/filter Philosophy
30
• Filter from the PHP level
• Opt-in filtering
• Does provide a default filter setting, though
• Whitelist and sanitizing filters
![Page 31: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/31.jpg)
Quick Example
31
![Page 32: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/32.jpg)
Configuration
• Two php.ini settings for ext/filter
• filter.default = unsafe_raw
• filter.default_flags =
• My personal wish: a third setting for enforcing an opt-out environment
32
![Page 33: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/33.jpg)
Set Up Opt-out Environment
33
![Page 34: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/34.jpg)
Functions Available
• filter_input()
• filter_input_array()
• filter_var()
• filter_var_array()
• filter_has_var()
• filter_list(), filter_id()
34
![Page 35: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/35.jpg)
filter_input()
• Basic usage:
• filter_input(type, name, [filter, [options]])
• Type == Location of input
• Name == Name of input variable to get
• Filter == Filter to apply
• Options == Associative array of options
35
![Page 36: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/36.jpg)
Types
• INPUT_GET
• INPUT_POST
• INPUT_COOKIE
• INPUT_SERVER
• INPUT_ENV
• INPUT_SESSION (not yet implemented)
• INPUT_REQUEST (not yet implemented)
36
![Page 37: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/37.jpg)
Whitelist Filters
• FILTER_VALIDATE_INT
• FILTER_VALIDATE_BOOLEAN
• FILTER_VALIDATE_FLOAT
• FILTER_VALIDATE_REGEXP
• FILTER_VALIDATE_URL
• FILTER_VALIDATE_EMAIL
• FILTER_VALIDATE_IP
37
![Page 38: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/38.jpg)
Whitelist Sanitizers
• FILTER_SANITIZE_STRING
• FILTER_SANITIZE_STRIPPED
• FILTER_SANITIZE_EMAIL
• FILTER_SANITIZE_URL
• FILTER_SANITIZE_NUMBER_INT
• FILTER_SANITIZE_NUMBER_FLOAT
38
![Page 39: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/39.jpg)
Escaping Sanitizers
• FILTER_SANITIZE_ENCODED
• FILTER_SANITIZE_SPECIAL_CHARS
• FILTER_SANITIZE_MAGIC_QUOTES
39
![Page 40: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/40.jpg)
Opting Out
• FILTER_UNSAFE_RAW
• FILTER_CALLBACK
40
![Page 41: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/41.jpg)
Extended Example
• Same form as earlier
• Use ext/filter to filter the values for the same type of data as used earlier:
• name == alphabetic stringage == integer with min and maxwebsite == valid URL formate-mail == valid e-mail formatcolor == one of red, blue, or green
41
![Page 42: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/42.jpg)
42
form.html
![Page 43: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/43.jpg)
43
process.php
![Page 44: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/44.jpg)
44
process.php
![Page 45: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/45.jpg)
45
process.php
![Page 46: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/46.jpg)
Filtering Tips
• Use a whitelist approach
• Force the use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.)
• Implement an opt-out strategy
• Set register_long_arrays = Off in php.ini
46
![Page 47: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/47.jpg)
Summary
• Zend_Filter_Input provides an OO interface and many built-in methods for all types of data
• ext/filter requires more thought and planning, but provides filtering directly in the PHP engine
• Both still need some improvement
47
![Page 48: Filtering Tainted Data: ext/filter vs. Zend Filter · ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006. Welcome • BenRamsey.com • I work for](https://reader035.fdocuments.in/reader035/viewer/2022081613/5fb6984a23af741ebe5e78a2/html5/thumbnails/48.jpg)
Slides & Further Reading
http://benramsey.com/archives/ipc06-slides/
And on the Conference CD-ROM
48