Hey! On 17/03/2019 22:23, Stanislav Malyshev wrote: > Hi! > > Looking at the recent PHP security issues, it is clear that many of them > are stemming from corner cases in various format-parsing code, and most > of them either is or can be found by fuzzers. > > Thus, I've made an initial integration for PHP on OSS-fuzz project - a > fuzzing engine for testing open source projects. PHP configuration sits > here: > https://github.com/google/oss-fuzz/tree/master/projects/php
I followed the progress on github. Thanks for doing the work up front. > and implementation of fuzzers is here: > https://github.com/php/php-fuzzing-sapi > > So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan > also to add basic phar fuzzer soon. Everybody is welcome to add more > fuzzers - with priority on ones that actually deal with third-party > data, e.g. language parser fuzzer is not enabled right now, because > people usually do not run random byte streams as PHP scripts on their > servers. On the other hand, people do apply EXIF or gd functions to > third-party data, so a vulnerability in that code would be high priority. > > That said, fuzzers can be run independently of OSS-Fuzz, so if you feel > inspired to add a fuzzer for any code please do so. > I hope I'll find time to try it out soon, thanks again! -- Regards, Mike
signature.asc
Description: OpenPGP digital signature
