Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:104779 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 77469 invoked from network); 18 Mar 2019 00:31:53 -0000 Received: from unknown (HELO mail-pf1-f193.google.com) (209.85.210.193) by pb1.pair.com with SMTP; 18 Mar 2019 00:31:53 -0000 Received: by mail-pf1-f193.google.com with SMTP id i19so9864321pfd.0 for ; Sun, 17 Mar 2019 14:23:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:openpgp:autocrypt:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=d8RkJ3A4iA7/bwgJXWjmMQVQ0FryVw4kugpadhktIww=; b=Mdwn5f4Ej61CL2T5joy9/NKP9hwt/+Dn9CsFPPE0O9Qu1ddEHDN7+TBRdfSRbGxsdh etdadlX+FCtL/dFTRkfQx9MEFUPRw5a3/pBhUVSvioiEUhA2oLxd8MmtbudFNajROoSv TP+bY5AQEWPEas7huXvQa92fSvt4xHRTzRQ6IAiwIozy32w+5lTvpJyGM9q0i7ofBvnQ e6YXpMkEt+PSBdiVP1YKU70zNYxJrQvH/y5U6JYkB8FM/ge7bMn07nBU5zF/kHF29Qbu EBBhckbkS/3Q5MYuN10DM1xiZDOUUzbpVIKCIBWnpyxsZVvrW++K1U+cJdfuoJEKM3pe xwog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:openpgp:autocrypt:message-id :date:user-agent:mime-version:content-language :content-transfer-encoding; bh=d8RkJ3A4iA7/bwgJXWjmMQVQ0FryVw4kugpadhktIww=; b=b7ooEU/NuTJKdrbQouWBQC0Sf3gZ5k7N8a18PmJWlCT82yTC8s41EMcKrmT/DxvjMH aUmtBs3HPYkbCcA0ZYhnhdiewRR1P6VlBljPzL25zSslv/YDQmC5A+q7F3Xq3KHeK43d mp9PaqYOeoNZwGjTiBAE/4bZLQ20RjJFKu1m5yfliqaiJXW36yo+/rKM6t/4MSv2RxHC KRLYvwCmoRyutS2cGnxwkv8WXa9DGpsFQb9WKZgTUc5bcVf6xyWIE7ly6laJkxlMmVim p7acrWD212my1bhX9nz7Ui01GP9+glymrim8jzHGRYzoNELvR737STKnjr8ZJ6DYj+Ec 0Ueg== X-Gm-Message-State: APjAAAUGFRrnktp6XuwvlOLL1AP7PFkp9wuPeEFyleJeZvoHcu9Fwak+ nlgppKEiggQgDO5ECEoCV2YBL8k= X-Google-Smtp-Source: APXvYqw7IcWxSiJtuNPEs/r9TQBjJpsKKC3HGUkp63pcTG4Zvoi6sMzradN1Jh7v8M6IdFcVa4qlbA== X-Received: by 2002:a63:c04b:: with SMTP id z11mr14197284pgi.135.1552857785709; Sun, 17 Mar 2019 14:23:05 -0700 (PDT) Received: from Stas-Pro-2016.local ([2601:646:8d01:8ee0:a56e:4a8a:338c:e746]) by smtp.gmail.com with ESMTPSA id x19sm10958247pfm.108.2019.03.17.14.23.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 17 Mar 2019 14:23:04 -0700 (PDT) To: PHP Internals , "security@php.net" Openpgp: preference=signencrypt Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata= mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ 5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls LmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv vsZEj3E7i3h+iD5648YMwfTFCij+uQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK AGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw Message-ID: Date: Sun, 17 Mar 2019 14:23:03 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: PHP on OSS-fuzz From: smalyshev@gmail.com (Stanislav Malyshev) Hi! Looking at the recent PHP security issues, it is clear that many of them are stemming from corner cases in various format-parsing code, and most of them either is or can be found by fuzzers. Thus, I've made an initial integration for PHP on OSS-fuzz project - a fuzzing engine for testing open source projects. PHP configuration sits here: https://github.com/google/oss-fuzz/tree/master/projects/php and implementation of fuzzers is here: https://github.com/php/php-fuzzing-sapi So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan also to add basic phar fuzzer soon. Everybody is welcome to add more fuzzers - with priority on ones that actually deal with third-party data, e.g. language parser fuzzer is not enabled right now, because people usually do not run random byte streams as PHP scripts on their servers. On the other hand, people do apply EXIF or gd functions to third-party data, so a vulnerability in that code would be high priority. That said, fuzzers can be run independently of OSS-Fuzz, so if you feel inspired to add a fuzzer for any code please do so. -- Stas Malyshev smalyshev@gmail.com