call_user_func() loses taint

laruence / taint

Taint is a PHP extension, used for detecting XSS codes

Other

611 stars 128 forks source link

call_user_func() loses taint #30

Open CashWilliams opened 8 years ago

CashWilliams commented 8 years ago

Using call_user_func() and call_user_func_array() causes lose of taint value.

Example code:

<?php

$input = $_GET['in'];
$function = 'render';
// Send tainted variable to $function
$output = call_user_func($function, $input);

function render($input) {
  // $input is tainted
  if (is_tainted($input)) {
    print "Input is tainted<br>";
  }
  return $input;
}

// $output is tainted
if (is_tainted($output)) {
  print "Output is tainted<br>";
}

Output:

Input is tainted

CashWilliams commented 8 years ago

I've cleaned up the code a bit and tried to PR a test which fails locally https://github.com/laruence/taint/pull/31