Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107534
Return-Path: <krakjoe@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85108 invoked from network); 14 Oct 2019 10:01:24 -0000
Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12)
  by pb1.pair.com with SMTP; 14 Oct 2019 10:01:24 -0000
Received: from php-smtp3.php.net (localhost [127.0.0.1])
	by php-smtp3.php.net (Postfix) with ESMTP id 4AFB42C0F06
	for <internals@lists.php.net>; Mon, 14 Oct 2019 00:45:15 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPOOFED_FREEMAIL autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
Received: from mail-vs1-f42.google.com (mail-vs1-f42.google.com [209.85.217.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp3.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 14 Oct 2019 00:45:11 -0700 (PDT)
Received: by mail-vs1-f42.google.com with SMTP id b1so10207792vsr.10
        for <internals@lists.php.net>; Mon, 14 Oct 2019 00:45:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=ZBqJzE82NyeiXWfdnD66CPz+BuSSiBMLQuzWpRs0zhk=;
        b=L2nhfg+18NTUc5XclEeuEfoBIMG5zS2jQ9S8UKqnmUT/EgZpXT1K5d52bVgfxIeLul
         5GxTqtWUvlz+AKRy/bhKsjh8rPaaVgb32jdIilWg/6lC5IeKhvah3iI/sHDGuvmGPDeD
         sMq5gLaGAbvPzNdjMR6Ok4I7QHMrF2HbftpGiiVxNT/VgKfpQVuCTSm5f+D9kiDa002/
         n9neLPsq64zb1bloEBt+F/G7vMOSchNVCWlStOmHe2gP04cIzqjPGcDEshg1urMEXO92
         zuMCe8iYPxoWI2rQdca4VOzhBhgRaxpCKWYXiEAt6cz9ObdnHlouFs5l9vdkQ7CeLkyR
         A71w==
X-Gm-Message-State: APjAAAVRfZ+Kk+KTBskP/77xcyTixlB2J2C0jqV6LwmznbPox4HH3m5J
	wBZPTkM+ObEWVu2/IjwSVMFcQr28qN8=
X-Google-Smtp-Source: APXvYqx3puSap1hI+J6BHYRZd6/RbHYhKPVxUvfj8pubmTHNq4poisTk7x2IydufiAkPyO4kRcSKsQ==
X-Received: by 2002:a67:d095:: with SMTP id s21mr15846403vsi.183.1571039111084;
        Mon, 14 Oct 2019 00:45:11 -0700 (PDT)
Received: from mail-vs1-f42.google.com (mail-vs1-f42.google.com. [209.85.217.42])
        by smtp.gmail.com with ESMTPSA id k3sm5237719vke.5.2019.10.14.00.45.10
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 14 Oct 2019 00:45:10 -0700 (PDT)
Received: by mail-vs1-f42.google.com with SMTP id v19so10238196vsv.3
        for <internals@lists.php.net>; Mon, 14 Oct 2019 00:45:10 -0700 (PDT)
X-Received: by 2002:a05:6102:52a:: with SMTP id m10mr16452376vsa.42.1571039110551;
 Mon, 14 Oct 2019 00:45:10 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 14 Oct 2019 09:44:59 +0200
X-Gmail-Original-Message-ID: <CAOwTYAsyi1ahiRBaWcqs5HEiRCNfVQz3MirTB0Qu39v2ivz6ng@mail.gmail.com>
Message-ID: <CAOwTYAsyi1ahiRBaWcqs5HEiRCNfVQz3MirTB0Qu39v2ivz6ng@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000001cdea40594da0c78"
X-Envelope-From: <krakjoe@gmail.com>
Subject: FFI & Security
From: krakjoe@php.net (Joe Watkins)

--0000000000001cdea40594da0c78
Content-Type: text/plain; charset="UTF-8"

Morning all,

Recently we voted on classification criteria for security bugs [1], we
include under "not an issue" any issue that "requires invocation of
specific code, which may be valid but is obviously malicious".

I would like to add an explicit clause under the "not an issue" section for
anything related to FFI.

It hardly seems worth it to run an RFC, although I'll be happy too if there
is a single dissenting voice.

If there are no objections, I'll modify the document 7 days from today
(Monday 21st October).

Cheers
Joe

[1] https://wiki.php.net/security

--0000000000001cdea40594da0c78--