|
Weblog: php
in Dobrica Pavlinušić's random unstructured stuff
|
|
|
Taint checking? Just say no, according to php developers (I must admit, I stopped reading after first two replies). Pixy tries to address that (in Java, sic!) and fails on my test code. Only hope left (as it seems) is generation of AST tree using phc or using Parse_Tree. Both look like a workable way to get AST tree, but I really wouldn't like to implement taint analysis for language which I don't particularly like. Any suggestions from idle readers of my blog? OOH, this day would be more-or-less complete waste if I didn't stumble upon hypertable which seem like nice implementation of bigtable in sane language (C/C++). Now if I could just find bunch of machines to run it on... Oxymoron, right? Well for somebody who loves perl so much, it is. Anyway here it is... One-linersshow phpinfo from shellecho '<? phpinfo() ?>' | php5 Security scanningSpike PHP Security Audit Toolhttp://developer.spikesource.com/projects/phpsecaudit/ sudo apt-get install php5-xslt Small list of checked expressions, quite difficult to browse. Pixkyhttp://pixybox.seclab.tuwien.ac.at/pixy/ Enables taint analysis of code. Doesn't handle ISO-8859-2 chars well, and breaks with terrifing error, but it's a very promising tool (in Java, sigh) phcGreat tool to get php's AST tree. Used by Plumhead Links
fetchrss: http://del.icio.us/rss/dpavlin/php+security
|
Weblog Archives
|
