Software Security/Group 1/Verdict

Uit Werkplaats
Ga naar: navigatie, zoeken

Verdict on the security requirements

V6 - Output Encoding/Escaping Verification Requirements

Verification requirement Verdict Motivation
V6.1 Verify that all untrusted data that are output to HTML (including HTML elements, HTML attributes, javascript data values, CSS blocks, and URI attributes) are properly escaped for the applicable context. Fail.png Fail We have identified places in the code where insufficient escaping is performed. See Avatar URLs
V6.2 Verify that all output encoding/escaping controls are implemented on the server side. Fail.png Fail We have identified one place where phpBB relies on client-side restrictions to enforce input validity. See Email manipulation.

?? Erik: it is not clear to me why this is client-side

V6.3 Verify that output encoding /escaping controls encode all characters not known to be safe for the intended interpreter. Fail.png Fail We have identified places in the code where insufficient escaping is performed. See Avatar URLs

??Erik:but isn't this a case of missing escaping (ie. V6.1) rather than not escaping all characters??

V6.4 Verify that all untrusted data that is output to SQL interpreters use parameterized interfaces, prepared statements, or are escaped properly. Excl.png N/A (This is the focus of Group 2.)


V6.5 Verify that all untrusted data that are output to XML use parameterized interfaces or are escaped properly. Excl.png N/A There is no XML output.
V6.6 Verify that all untrusted data that are used in LDAP queries are escaped properly. Excl.png N/A There are no LDAP queries.


V6.7 Verify that all untrusted data that are included in operating system command parameters are escaped properly. Excl.png N/A We have searched the code for uses of any PHP functions commonly used to invoke operating system commands, but found none.
V6.8 Verify that all untrusted data that are output to any interpreters not specifically listed above are escaped properly. Excl.png N/A

There are no other interpreters.