Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

Transcript

1. Filtering Tainted Data: ext/filter vs. Zend_Filter Ben Ramsey International PHP

   Conference 8 November 2006

2. Welcome • BenRamsey.com • I work for Art & Logic,

   Inc. • PHP 5 Certification Study Guide author • Organizer of Atlanta PHP user group 2

3. Overview • Filtering Input • Zend_Filter_Input • ext/filter • Filtering

   Tips 3

4. Filtering Input 4

5. Why Filter Input? 5 • Input comes from everywhere •

   You cannot control the origin of input • They’re sending all kinds of input • Thus, you can’t trust the data • You don’t want to accept bad or incorrect data

6. What Is Filtering? • Data inspection process • By which

   you validate input according to your data model • You can choose to accept or reject the input if it doesn’t match your model 6

7. Where To Filter? • Client-side? • All client-side filtering can

   be circumvented • Server-side? • Best place to filter; not so user-friendly • Both? • Client-side provides good user experience • Server-side ensures good data 7

8. Filtering Methodologies • Blacklist filtering • Whitelist filtering • Sanitizing

   data 8

9. Blacklist Filtering • Negative filtering • “I know what data

   I don’t want to allow” • Block input based on a list of unacceptable values • Must continually add to this list as you discover new unacceptable values 9

10. Whitelist Filtering • Positive filtering • “I know what data

    I do want to allow” • Accept input based on a list of acceptable values • Benefit: you always know what you want to accept 10

11. Sanitizing • Lenient “filtering” • Two approaches: • Blacklist: “I’ll

    accept everything and strip out what I don’t want” • Whitelist: “I’ll accept everything and extract only what I do want” • Though the input is sanitized, it may not be good data 11

12. Filtering Practices • Opt-in filtering • Opt-out filtering 12

13. Opt-In Filtering • All input is unfiltered to begin with

    • You choose when you want to filter data • Nothing to stop you or your development team from using unfiltered data • Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable 13

14. Opt-Out Filtering • Everything is filtered by default • No

    access to unfiltered data except by choice • No accidental usage of $_GET, $_POST, etc. • You must make a conscious decision to opt- out of the filtering and get raw data 14

15. Enforce Opt-out Filtering • Ensures that you and your development

    team cannot accidently access unfiltered input • Must consciously decide to use raw data • PHP does not do this by default, nor does Zend_Filter_Input or ext/filter • I’ll show you how 15

16. Zend_Filter_Input 16

17. Zend_Filter_Input Philosophy 17 • Filter from the application level •

    Opt-out filtering • Not enforced by default • Whitelist filtering • Provides sanitizing methods, if desired

18. Quick Example 18

19. Set Up Opt-out Environment 19

20. Method Types • no*() methods • Blacklist sanitizers • get*()

    methods • Whitelist sanitizers • test*() methods • Whitelist filters 20

21. no*() Methods • noPath() — returns basename(value) • noTags() —

    strips all tags from value 21

22. get*() Methods • getAlnum() — returns only alphanumeric chars •

    getAlpha() — returns only alphabetic chars • getDigits() — returns only digits • getDir() — returns dirname(value) • getInt() — returns (int) value • getPath() — returns realpath(value) • getRaw() — returns original value (opt-out) 22

23. test*() Methods • testAlnum() • testAlpha() • testBetween() • testCcnum()

    • testDate() • testDigits() • testEmail() 23

24. test*() Methods • testFloat() • testGreaterThan() • testHex() • testHostname()

    • testInt() • testIp() • testLessThan() 24

25. test*() Methods • testName() • testOneOf() • testPhone() • testRegex()

    • testZip() 25

26. Extended Example • Typical form that asks for information •

    Use Zend_Filter_Input to filter the values for the following types of data: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 26

27. 27 form.html

28. 28 FormController.php

29. ext/filter 29

30. ext/filter Philosophy 30 • Filter from the PHP level •

    Opt-in filtering • Does provide a default filter setting, though • Whitelist and sanitizing filters

31. Quick Example 31

32. Configuration • Two php.ini settings for ext/filter • filter.default =

    unsafe_raw • filter.default_flags = • My personal wish: a third setting for enforcing an opt-out environment 32

33. Set Up Opt-out Environment 33

34. Functions Available • filter_input() • filter_input_array() • filter_var() • filter_var_array()

    • filter_has_var() • filter_list(), filter_id() 34

35. filter_input() • Basic usage: • filter_input(type, name, [filter, [options]]) •

    Type == Location of input • Name == Name of input variable to get • Filter == Filter to apply • Options == Associative array of options 35

36. Types • INPUT_GET • INPUT_POST • INPUT_COOKIE • INPUT_SERVER •

    INPUT_ENV • INPUT_SESSION (not yet implemented) • INPUT_REQUEST (not yet implemented) 36

37. Whitelist Filters • FILTER_VALIDATE_INT • FILTER_VALIDATE_BOOLEAN • FILTER_VALIDATE_FLOAT • FILTER_VALIDATE_REGEXP

    • FILTER_VALIDATE_URL • FILTER_VALIDATE_EMAIL • FILTER_VALIDATE_IP 37

38. Whitelist Sanitizers • FILTER_SANITIZE_STRING • FILTER_SANITIZE_STRIPPED • FILTER_SANITIZE_EMAIL • FILTER_SANITIZE_URL

    • FILTER_SANITIZE_NUMBER_INT • FILTER_SANITIZE_NUMBER_FLOAT 38

39. Escaping Sanitizers • FILTER_SANITIZE_ENCODED • FILTER_SANITIZE_SPECIAL_CHARS • FILTER_SANITIZE_MAGIC_QUOTES 39

40. Opting Out • FILTER_UNSAFE_RAW • FILTER_CALLBACK 40

41. Extended Example • Same form as earlier • Use ext/filter

    to filter the values for the same type of data as used earlier: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 41

42. 42 form.html

43. 43 process.php

44. 44 process.php

45. 45 process.php

46. Filtering Tips • Use a whitelist approach • Force the

    use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.) • Implement an opt-out strategy • Set register_long_arrays = Off in php.ini 46

47. Summary • Zend_Filter_Input provides an OO interface and many built-in

    methods for all types of data • ext/filter requires more thought and planning, but provides filtering directly in the PHP engine • Both still need some improvement 47

48. Slides & Further Reading http://benramsey.com/archives/ipc06-slides/ And on the Conference CD-ROM

    48