<div dir="ltr">lets first keep aside the categorization...that I will do...<div><br></div><div>for the other problem we can do this....we also check each token for strings...basically T_STRING...then in that string, we check for concatenation...concatenation start from "." and replacement starts from "{"...whatever the case,,,it is followed by the character "$"...this would tell us that a variable has been concatenated...suppose we detect that $x is the variable...now in the whole document we can again search for $x and check the nature of this code...e.g numeric strings such as "45" is no harm I guess....if it contains some "JS code...or some other bad code"...then we can flag a warning...</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 19, 2013 at 7:23 PM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">1. indeed. it should act like a security compiler<div>2. k</div><div>3. we need to detect concatenations</div>
<div>4. yes it is insecure.</div><div><br></div><div>echof ("%s",$x) is secure, but the constant string (format string) is not safeguarded.</div><span class="HOEnZb"><font color="#888888"><div>-A</div></font></span><div>
<div class="im"><div>
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<div style="font-weight:normal"><div>______________________________________________________________</div><div><b>Notice:</b><b> </b>This message is <b>digitally signed</b>, its <b>source</b> and <b>integrity</b> are verifiable.</div>
<div>If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at <a href="http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/" target="_blank">Certified E-Mail with Comodo and Thunderbird</a> in <a href="http://AbiusX.com" target="_blank">AbiusX.com</a></div>
</div></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span>
</div>
<br></div><div><div class="h5"><div><div>On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <<a href="mailto:rahul300chaudhary400@gmail.com" target="_blank">rahul300chaudhary400@gmail.com</a>> wrote:</div><br><blockquote type="cite">
<div dir="ltr">aaahhhh.....I was pulling my hairs out that what is this file..... ;)<div><br></div><div>1) anyways...I see that you have divided things into different types: "warning", "error" etc...so does the scanner need to categorize them ??</div>

<div><br></div><div>2) multi-line staements...(the last statement).....that is now already being detected....</div><div><br></div><div>3) for vprintf line...if we just add "vprintf" to the blacklist, this whole line is still detected....so this does not need any change..</div>

<div><br></div><div>4) if i use echof(<span style="color:rgb(3,38,204);font-family:Monaco;font-size:11px">"this one </span><span style="font-family:Monaco;font-size:11px">{$x}</span><span style="color:rgb(3,38,204);font-family:Monaco;font-size:11px"> is error")</span><span style="font-family:Monaco;font-size:11px">;      then is this error ????</span></div>

</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Ok this is an example to detect:<div><br></div><div><div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(3,38,204)">

<span><span style="white-space:pre-wrap">         </span>$x=</span>"<p>yo</p>"<span>;</span></div><div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(3,38,204)">
<span><span style="white-space:pre-wrap">         </span></span><span style="color:#931a68">echo </span>"this should be just warning"<span>; </span><span style="color:#679072">//safe stuff</span></div>
<div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(3,38,204)"><span><span style="white-space:pre-wrap">           </span></span><span style="color:#931a68">echo </span>"this one <span>{$x}</span> is error"<span>;</span></div>

<div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(3,38,204)"><span><span style="white-space:pre-wrap">           </span></span><span style="color:#931a68">print </span>"this is "<span>.$x.</span>" unsafe too."<span>;</span></div>

<div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(3,38,204)"><span><span style="white-space:pre-wrap">           </span>printf(</span>"warning here"<span>);</span></div>
<div style="margin:0px;font-size:11px;font-family:Monaco"><span style="white-space:pre-wrap">           </span>vprintf(<span style="color:#0326cc">"warn %s"</span>,<span style="color:#931a68">array</span>($x));</div><div style="margin:0px;font-size:11px;font-family:Monaco">

<span style="white-space:pre-wrap">             </span>vprintf(<span style="color:#0326cc">"not ok "</span>.$x.<span style="color:#0326cc">" %s"</span>,<span style="color:#931a68">array</span>($x));</div><div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(147,26,104)">

<span><span style="white-space:pre-wrap">         </span></span>echo <span style="color:#0326cc">"you</span></div><div style="margin:0px;font-size:11px;font-family:Monaco;color:rgb(3,38,204)"><span style="white-space:pre-wrap">                          </span>cant detect this."<span>;</span></div>

<div><div><span><br></span></div><div>
<span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word"><span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<div style="font-weight:normal"><div>______________________________________________________________</div><div><b>Notice:</b><b> </b>This message is <b>digitally signed</b>, its <b>source</b> and <b>integrity</b> are verifiable.</div>

<div>If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at <a href="http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/" target="_blank">Certified E-Mail with Comodo and Thunderbird</a> in <a href="http://abiusx.com/" target="_blank">AbiusX.com</a></div>

</div></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span>
</div>
<br></div><div><div><div><div>On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <<a href="mailto:rahul300chaudhary400@gmail.com" target="_blank">rahul300chaudhary400@gmail.com</a>> wrote:</div><br><blockquote type="cite">

<div dir="ltr"><a href="https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4" target="_blank">https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4</a><br><div><br></div>

</div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <span dir="ltr"><<a href="mailto:rahul300chaudhary400@gmail.com" target="_blank">rahul300chaudhary400@gmail.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I did that the day you told me to do so....I also pushed my codes back then only and then I informed you..</div>


<div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br>



<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Have you finished determining a whole statement? Please push the code and I will push my part.<div>



-A<br><div>
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">



<div style="font-weight:normal"><div>______________________________________________________________</div><div><b>Notice:</b><b> </b>This message is <b>digitally signed</b>, its <b>source</b> and <b>integrity</b> are verifiable.</div>



<div>If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at <a href="http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/" target="_blank">Certified E-Mail with Comodo and Thunderbird</a> in <a href="http://abiusx.com/" target="_blank">AbiusX.com</a></div>



</div></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span>
</div>
<br><div><div><div>On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <<a href="mailto:rahul300chaudhary400@gmail.com" target="_blank">rahul300chaudhary400@gmail.com</a>> wrote:</div><br></div><blockquote type="cite">



<div><div dir="ltr">Hello All,<div><br></div><div>Abbas, you mentioned earlier that for scanner, once we have created support for multi-line statements....we will start work on "concatenated statements"...should I start working on it ???</div>




<div><br></div><div>if yes, then can you give some examples of what kind of statements we are looking for ???</div><div><div><br></div>-- <br><div>Regards,</div><div>Rahul Chaudhary</div><div>Ph - <a href="tel:412-519-9634" value="+14125199634" target="_blank">412-519-9634</a></div>




</div></div></div>
_______________________________________________<br>OWASP_PHP_Security_Project mailing list<br><a href="mailto:OWASP_PHP_Security_Project@lists.owasp.org" target="_blank">OWASP_PHP_Security_Project@lists.owasp.org</a><br>



<a href="https://lists.owasp.org/mailman/listinfo/owasp_php_security_project" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp_php_security_project</a><br></blockquote></div><br></div></div></blockquote></div>



<br><br clear="all"><div><br></div>-- <br><div>Regards,</div><div>Rahul Chaudhary</div><div>Ph - <a href="tel:412-519-9634" value="+14125199634" target="_blank">412-519-9634</a></div>
</div>
</div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Regards,</div><div>Rahul Chaudhary</div><div>Ph - <a href="tel:412-519-9634" value="+14125199634" target="_blank">412-519-9634</a></div>
</div>
</blockquote></div><br></div></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Regards,</div><div>Rahul Chaudhary</div><div>Ph - <a href="tel:412-519-9634" value="+14125199634" target="_blank">412-519-9634</a></div>

</div>
</blockquote></div><br></div></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Regards,</div><div>Rahul Chaudhary</div><div>Ph - 412-519-9634</div>
</div>