On Sep 25, 2023, at 01:49, Derick Rethans wrote:
> The Foundation is organising an external audit/security check of the PHP
> source code. As part of that, we would like to identify the places in
> the PHP source code where checking this will have the most impact.
String parsing functions. Not
Hi!
This reminds me of something.
There's an interesting paper about ReDoS resilience in different regex engines.
Some programming languages, including PHP, are evaluated there and compared:
https://www.usenix.org/system/files/sec22-turonova.pdf
PHP has some configuration knobs for pcre
(https
Hi
On 25/09/2023 17:33, Tim Düsterhus wrote:
> Hi
>
> On 9/25/23 10:49, Derick Rethans wrote:
>> So, if you can suggest an area where doing an external review would have
>> high impact, please reply to this email.
>
> Some things from top of my head in arbitrary order. Not all of them are
> nec
On Mon, Sep 25, 2023 at 10:49 AM Derick Rethans wrote:
>
> Hi,
>
> The Foundation is organising an external audit/security check of the PHP
> source code. As part of that, we would like to identify the places in
> the PHP source code where checking this will have the most impact.
>
> Typical areas
Hi
On 9/25/23 10:49, Derick Rethans wrote:
So, if you can suggest an area where doing an external review would have
high impact, please reply to this email.
Some things from top of my head in arbitrary order. Not all of them are
necessarily important themselves per se, but rather intended to
the php-fpm master<->php-fpm worker glue code. php-fpm master usually
runs as *root*, so a compromise in that glue could lead to webserver
rooting
On Mon, 25 Sept 2023 at 10:49, Derick Rethans wrote:
>
> Hi,
>
> The Foundation is organising an external audit/security check of the PHP
> source cod
Hi,
The Foundation is organising an external audit/security check of the PHP
source code. As part of that, we would like to identify the places in
the PHP source code where checking this will have the most impact.
Typical areas would be where user input can be (automatically read) remotely,
su
