Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106004
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53924 invoked from network); 20 Jun 2019 18:39:29 -0000
Received: from unknown (HELO mail-lf1-f43.google.com) (209.85.167.43)
  by pb1.pair.com with SMTP; 20 Jun 2019 18:39:29 -0000
Received: by mail-lf1-f43.google.com with SMTP id j29so2783496lfk.10
        for <internals@lists.php.net>; Thu, 20 Jun 2019 08:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8say2GwqWUVrYrUfy69zlRJlFSRz+UeOfwqmFK31D20=;
        b=OqbhpazYXApmgvMQeDtyFpbhUTxGcr2CXtLDrMydqRWgMQBHbJ5pTUyRLT5qcdVFEY
         U0zRyotkgZj4VWOGbvIw0sRhXTgaFqxCw0q1Op5IQb6ACbSnz+RlpF0IZUhGMEyjSBIm
         bhI1tFq+oGplWkw+cVkgmWhxf+mYY1I0HFqt60X3asNjOTb0HxyR0+O1kiKRgmYhEskf
         eXw6+mnmaP6KySmfN2NvXOz4FN9wtiMWHbocC/u4TrwuG7WsMPFTA2mWCiA5v+dE32iu
         BlP4b56zvyGqPAYHnx9nxOw/i1BHDif7aUouHGEyZ8b45yvYeQyCo7njiVDiXr8OAvAD
         Tfhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8say2GwqWUVrYrUfy69zlRJlFSRz+UeOfwqmFK31D20=;
        b=W8atxmsy7Eg0UmR58OXKnhdIMF+feSTFURSJFRSXFhB9U86WSE9NdR2Fatk1R8UXfC
         ++x0h9YwAANxUdzwKW6hDxKy1gAwUu59YecDwRBbinr7Y3wd4nX0De09lDMhqRcM2iy0
         hyFlmtheDf40YEQgzW3K1z02x4PIyW/DerNmSao+7y/DUgqhyL8DbKhYNvMiajfNQTnp
         7ioUV93+AdeeORn/ZGcnnlesHapfLyqNAkoPajWYOT7WA4cPEGbe4Tnr2r5Wo1OOK5A4
         qGRR/0sg1gtOoXHxBJKP9/sGljdMrtl4RRDEOAkgR2sjZJ0JrGJwK/XqeJEVBiIRh34n
         V8hw==
X-Gm-Message-State: APjAAAXhxpg7rd7ZuwMj0vMax7ccZTqmGnNqdqb735e/uZ/jtKmq2s34
	pbdTZ+QPy1ZR1CSLYd04nSKt/NSv1GwmITRxLes=
X-Google-Smtp-Source: APXvYqzwrXI8jiRHcU9SlPRvycLhl+fRZDL83MkxKvrCqXzfeHmGx5+115gATGKPC1CEpZHsTSrQIPqLFPThAakuhNk=
X-Received: by 2002:a19:9152:: with SMTP id y18mr25100437lfj.128.1561046064257;
 Thu, 20 Jun 2019 08:54:24 -0700 (PDT)
MIME-Version: 1.0
References: <a73c84cb-efe3-507e-1a0d-1967e1521e50@gmail.com>
In-Reply-To: <a73c84cb-efe3-507e-1a0d-1967e1521e50@gmail.com>
Date: Thu, 20 Jun 2019 17:54:08 +0200
Message-ID: <CAF+90c_R_c+iT3Qa6BigqWAvoQOd9RoQ6N69Pp-zoMego8fWvg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, "security@php.net" <security@php.net>
Content-Type: multipart/alternative; boundary="00000000000023600c058bc35cff"
Subject: Re: [PHP-DEV] PHP on OSS-fuzz
From: nikita.ppv@gmail.com (Nikita Popov)

--00000000000023600c058bc35cff
Content-Type: text/plain; charset="UTF-8"

On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> Looking at the recent PHP security issues, it is clear that many of them
> are stemming from corner cases in various format-parsing code, and most
> of them either is or can be found by fuzzers.
>
> Thus, I've made an initial integration for PHP on OSS-fuzz project - a
> fuzzing engine for testing open source projects. PHP configuration sits
> here:
> https://github.com/google/oss-fuzz/tree/master/projects/php
> and implementation of fuzzers is here:
> https://github.com/php/php-fuzzing-sapi
>
> So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
> also to add basic phar fuzzer soon. Everybody is welcome to add more
> fuzzers - with priority on ones that actually deal with third-party
> data, e.g. language parser fuzzer is not enabled right now, because
> people usually do not run random byte streams as PHP scripts on their
> servers. On the other hand, people do apply EXIF or gd functions to
> third-party data, so a vulnerability in that code would be high priority.
>
> That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
> inspired to add a fuzzer for any code please do so.
>

Where are issues detected by oss-fuzz reported?

Nikita

--00000000000023600c058bc35cff--