RE: [PHP-DEV] bug classification discussion

Hi, > -Original Message- > From: jakub@gmail.com [mailto:jakub@gmail.com] On Behalf Of Jakub > Zelenka > Sent: Wednesday, November 2, 2016 8:36 PM > To: Stanislav Malyshev > Cc: PHP Internals ; Remi Collet > > Subject: Re: [PHP-DEV] bug classification dis

Re: [PHP-DEV] bug classification discussion

Hi, On Mon, Oct 24, 2016 at 6:23 AM, Stanislav Malyshev wrote: > Hi! > > We have had a bunch of bugs recently which are essentially one and the > same issue: PHP 5.6 allows only int-sized strings, but many functions > don't check the size of the string they produce. This can lead to int > overfl

Re: [PHP-DEV] bug classification discussion

Hi Stas, On Sun, Oct 30, 2016 at 2:21 PM, Stanislav Malyshev wrote: > So I wrote a first version of the document Anatol mentioned: > > https://wiki.php.net/security > > Please comment. Fixes to the grammar and typos are especially welcome > (you can just do them in the wiki without asking :) Nic

RE: [PHP-DEV] bug classification discussion

Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Tuesday, November 1, 2016 6:14 PM > To: Nikita Popov > Cc: Anatol Belski ; PHP Internals > ; Remi Collet > Subject: Re: [PHP-DEV] bug classification discussion >

Re: [PHP-DEV] bug classification discussion

Hi! > Yet one thing seems to be missing - security issue, that only > concerns an unstable branch. Those are probably can be handled as low > severity, as any pre GA or master are not for production anyway. > Still they should not be disclosed until fixed, but should be fine to > fix at any point

Re: [PHP-DEV] bug classification discussion

Hi! > I'm also wondering under which category unserialize() issues would > (usually) fall. I'd assume "low" (because requires documented insecure > code + well known class of vulnerabilities). I'd say medium. While it's documented that unserializing external strings is unsafe, there is code out t

RE: [PHP-DEV] bug classification discussion

> -Original Message- > From: Nikita Popov [mailto:nikita@gmail.com] > Sent: Tuesday, November 1, 2016 10:32 AM > To: Stanislav Malyshev > Cc: Anatol Belski ; PHP Internals > ; Remi Collet > Subject: Re: [PHP-DEV] bug classification discussion > > On S

Re: [PHP-DEV] bug classification discussion

On Sun, Oct 30, 2016 at 6:21 AM, Stanislav Malyshev wrote: > Hi! > > So I wrote a first version of the document Anatol mentioned: > > https://wiki.php.net/security > > Please comment. Fixes to the grammar and typos are especially welcome > (you can just do them in the wiki without asking :) > It

Re: [PHP-DEV] bug classification discussion

Original Message- > > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > > Sent: Sunday, October 30, 2016 6:21 AM > > To: Anatol Belski ; 'PHP Internals' > > > > Cc: 'Remi Collet' > > Subject: Re: [PHP-DEV] bug classification discu

RE: [PHP-DEV] bug classification discussion

Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Sunday, October 30, 2016 6:21 AM > To: Anatol Belski ; 'PHP Internals' > > Cc: 'Remi Collet' > Subject: Re: [PHP-DEV] bug classification discussion &g

Re: [PHP-DEV] bug classification discussion

Hi! So I wrote a first version of the document Anatol mentioned: https://wiki.php.net/security Please comment. Fixes to the grammar and typos are especially welcome (you can just do them in the wiki without asking :) -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Develop

Re: [PHP-DEV] bug classification discussion

Hi, On Oct 28, 2016 10:33 PM, "Ferenc Kovacs" wrote: > > On Fri, Oct 28, 2016 at 11:18 AM, Remi Collet > wrote: > > > Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > > > Hi! > > > > > > We have had a bunch of bugs recently which are essentially one and the > > > same issue: PHP 5.6 allows

Re: [PHP-DEV] bug classification discussion

On Fri, Oct 28, 2016 at 11:18 AM, Remi Collet wrote: > Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > > Hi! > > > > We have had a bunch of bugs recently which are essentially one and the > > same issue: PHP 5.6 allows only int-sized strings, but many functions > > don't check the size of t

Re: [PHP-DEV] bug classification discussion

Morning, Trying to re-shape our own classification system seems like a good idea. I have no good idea of how to write such a document, would be happy to review (and make other people review) if someone were to start. Cheers Joe On Fri, Oct 28, 2016 at 10:18 AM, Remi Collet wrote: > Le

Re: [PHP-DEV] bug classification discussion

Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > Hi! > > We have had a bunch of bugs recently which are essentially one and the > same issue: PHP 5.6 allows only int-sized strings, but many functions > don't check the size of the string they produce. This can lead to int > overflows inside ph

RE: [PHP-DEV] bug classification discussion

> -Original Message- > From: Anatol Belski [mailto:anatol@belski.net] > Sent: Monday, October 24, 2016 3:45 PM > To: 'Stanislav Malyshev' ; 'PHP Internals' > > Cc: 'Remi Collet' > Subject: RE: [PHP-DEV] bug classification di

RE: [PHP-DEV] bug classification discussion

Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Monday, October 24, 2016 7:23 AM > To: PHP Internals > Cc: Remi Collet > Subject: [PHP-DEV] bug classification discussion > > Hi! > > We have had a bu

[PHP-DEV] bug classification discussion

Hi! We have had a bunch of bugs recently which are essentially one and the same issue: PHP 5.6 allows only int-sized strings, but many functions don't check the size of the string they produce. This can lead to int overflows inside php and also can break other libraries that also assume string siz