Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

All input should be considered tainted. The question is: how do we filter it to ensure that the input received is the input expected? This talk will examine the PECL Input Filter extension and the Zend_InputFilter class from the Zend Framework, comparing and contrasting their approaches to filtering input. We'll consider examples of both techniques and see how they work to ensure that the data we receive is safe to use.

0c217b9a7dd0aa31ed40bd0f453727e1?s=128

Ben Ramsey
PRO

November 08, 2006
Tweet

More Decks by Ben Ramsey

Other Decks in Programming

Transcript

  1. Filtering Tainted Data: ext/filter vs. Zend_Filter Ben Ramsey International PHP

    Conference 8 November 2006
  2. Welcome • BenRamsey.com • I work for Art & Logic,

    Inc. • PHP 5 Certification Study Guide author • Organizer of Atlanta PHP user group 2
  3. Overview • Filtering Input • Zend_Filter_Input • ext/filter • Filtering

    Tips 3
  4. Filtering Input 4

  5. Why Filter Input? 5 • Input comes from everywhere •

    You cannot control the origin of input • They’re sending all kinds of input • Thus, you can’t trust the data • You don’t want to accept bad or incorrect data
  6. What Is Filtering? • Data inspection process • By which

    you validate input according to your data model • You can choose to accept or reject the input if it doesn’t match your model 6
  7. Where To Filter? • Client-side? • All client-side filtering can

    be circumvented • Server-side? • Best place to filter; not so user-friendly • Both? • Client-side provides good user experience • Server-side ensures good data 7
  8. Filtering Methodologies • Blacklist filtering • Whitelist filtering • Sanitizing

    data 8
  9. Blacklist Filtering • Negative filtering • “I know what data

    I don’t want to allow” • Block input based on a list of unacceptable values • Must continually add to this list as you discover new unacceptable values 9
  10. Whitelist Filtering • Positive filtering • “I know what data

    I do want to allow” • Accept input based on a list of acceptable values • Benefit: you always know what you want to accept 10
  11. Sanitizing • Lenient “filtering” • Two approaches: • Blacklist: “I’ll

    accept everything and strip out what I don’t want” • Whitelist: “I’ll accept everything and extract only what I do want” • Though the input is sanitized, it may not be good data 11
  12. Filtering Practices • Opt-in filtering • Opt-out filtering 12

  13. Opt-In Filtering • All input is unfiltered to begin with

    • You choose when you want to filter data • Nothing to stop you or your development team from using unfiltered data • Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable 13
  14. Opt-Out Filtering • Everything is filtered by default • No

    access to unfiltered data except by choice • No accidental usage of $_GET, $_POST, etc. • You must make a conscious decision to opt- out of the filtering and get raw data 14
  15. Enforce Opt-out Filtering • Ensures that you and your development

    team cannot accidently access unfiltered input • Must consciously decide to use raw data • PHP does not do this by default, nor does Zend_Filter_Input or ext/filter • I’ll show you how 15
  16. Zend_Filter_Input 16

  17. Zend_Filter_Input Philosophy 17 • Filter from the application level •

    Opt-out filtering • Not enforced by default • Whitelist filtering • Provides sanitizing methods, if desired
  18. Quick Example 18

  19. Set Up Opt-out Environment 19

  20. Method Types • no*() methods • Blacklist sanitizers • get*()

    methods • Whitelist sanitizers • test*() methods • Whitelist filters 20
  21. no*() Methods • noPath() — returns basename(value) • noTags() —

    strips all tags from value 21
  22. get*() Methods • getAlnum() — returns only alphanumeric chars •

    getAlpha() — returns only alphabetic chars • getDigits() — returns only digits • getDir() — returns dirname(value) • getInt() — returns (int) value • getPath() — returns realpath(value) • getRaw() — returns original value (opt-out) 22
  23. test*() Methods • testAlnum() • testAlpha() • testBetween() • testCcnum()

    • testDate() • testDigits() • testEmail() 23
  24. test*() Methods • testFloat() • testGreaterThan() • testHex() • testHostname()

    • testInt() • testIp() • testLessThan() 24
  25. test*() Methods • testName() • testOneOf() • testPhone() • testRegex()

    • testZip() 25
  26. Extended Example • Typical form that asks for information •

    Use Zend_Filter_Input to filter the values for the following types of data: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 26
  27. 27 form.html

  28. 28 FormController.php

  29. ext/filter 29

  30. ext/filter Philosophy 30 • Filter from the PHP level •

    Opt-in filtering • Does provide a default filter setting, though • Whitelist and sanitizing filters
  31. Quick Example 31

  32. Configuration • Two php.ini settings for ext/filter • filter.default =

    unsafe_raw • filter.default_flags = • My personal wish: a third setting for enforcing an opt-out environment 32
  33. Set Up Opt-out Environment 33

  34. Functions Available • filter_input() • filter_input_array() • filter_var() • filter_var_array()

    • filter_has_var() • filter_list(), filter_id() 34
  35. filter_input() • Basic usage: • filter_input(type, name, [filter, [options]]) •

    Type == Location of input • Name == Name of input variable to get • Filter == Filter to apply • Options == Associative array of options 35
  36. Types • INPUT_GET • INPUT_POST • INPUT_COOKIE • INPUT_SERVER •

    INPUT_ENV • INPUT_SESSION (not yet implemented) • INPUT_REQUEST (not yet implemented) 36
  37. Whitelist Filters • FILTER_VALIDATE_INT • FILTER_VALIDATE_BOOLEAN • FILTER_VALIDATE_FLOAT • FILTER_VALIDATE_REGEXP

    • FILTER_VALIDATE_URL • FILTER_VALIDATE_EMAIL • FILTER_VALIDATE_IP 37
  38. Whitelist Sanitizers • FILTER_SANITIZE_STRING • FILTER_SANITIZE_STRIPPED • FILTER_SANITIZE_EMAIL • FILTER_SANITIZE_URL

    • FILTER_SANITIZE_NUMBER_INT • FILTER_SANITIZE_NUMBER_FLOAT 38
  39. Escaping Sanitizers • FILTER_SANITIZE_ENCODED • FILTER_SANITIZE_SPECIAL_CHARS • FILTER_SANITIZE_MAGIC_QUOTES 39

  40. Opting Out • FILTER_UNSAFE_RAW • FILTER_CALLBACK 40

  41. Extended Example • Same form as earlier • Use ext/filter

    to filter the values for the same type of data as used earlier: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 41
  42. 42 form.html

  43. 43 process.php

  44. 44 process.php

  45. 45 process.php

  46. Filtering Tips • Use a whitelist approach • Force the

    use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.) • Implement an opt-out strategy • Set register_long_arrays = Off in php.ini 46
  47. Summary • Zend_Filter_Input provides an OO interface and many built-in

    methods for all types of data • ext/filter requires more thought and planning, but provides filtering directly in the PHP engine • Both still need some improvement 47
  48. Slides & Further Reading http://benramsey.com/archives/ipc06-slides/ And on the Conference CD-ROM

    48