Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107535 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 86757 invoked from network); 14 Oct 2019 10:03:44 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 14 Oct 2019 10:03:44 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 40ACF2CEF42 for ; Mon, 14 Oct 2019 00:47:35 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: No Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Mon, 14 Oct 2019 00:47:34 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id q5so9886240pfg.13 for ; Mon, 14 Oct 2019 00:47:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=mxBVncIG64al37GVPsiD2BmEc9z8qIWyHmkyFO6XDr8=; b=YzXGiesOv8Y6kpci6Mpy1PAGKS9uBHkpwruruXnd/CTxhxbu8CzbSof44vrI5Dl98Y s78Y3bMRLouKhXxJS7d8eoPuzsa+TSEdZSoCJCqvs0a/7m/WumGpZXBdItvBCYWOb/Rs hHktCitA5jl2LUhp3L/MXMgj5PuiUuD7ZaR7XlTFu+/3Z6KaHoFkgf4Y9E14NWxRTAqU iClXPCMtrAzs2H8upBtO2c1bh9/sIuDs0xD5xq4mbCWQMrXujAu9hfKHbJHWHVVXmE1U MaqcOBd9IWqxgXltkZuMr6zY4Ih1Xt/9a9vSrBvGtU+l9Ovhui/tLvjSBeYJ0E6ty3UG xtbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mxBVncIG64al37GVPsiD2BmEc9z8qIWyHmkyFO6XDr8=; b=UfgsnH8GqBtPmQzzRb/OaY0upQEgUZoRhnONhWqyDnrAv7IIgiT3XkeS8QH0phvPA1 NrAVI6Ce5Z6VtJEHBLuwF7JwRK9B+GfuwH56K/+DftOJfLF1zjVI94ZdGeYADmfx7chP zdcI+eaDi4HakXN4fd7I7pCiMU7we/VKuz4j0d7kW2W3qceB6dGWapWgsy93xGedrKry YiY7tsh91tMD/w4Ao2MNiyKqPGJczz94KBa2zyMAirhoBAfBtAOveybTuVpd/lm99jrm 36o4vNFVad/wplDV1rZnaVkOj2L01q3bRAWvliMIezhHpXEKzAXvdJxNLJvvGBH8FmfP b6Vg== X-Gm-Message-State: APjAAAWIiLorfz3XnC3ao+Rb2E9OXuYAbIVxeVtllY/D0Wa8t4/V2H5h VhZGMHv9aJd4GXhc/m3wsSb3cZAfFA== X-Google-Smtp-Source: APXvYqwB9A3T95zF+I5Ap0hTKxMhjyD8TZ1QcD1tCZnrbojmY4UjIviXYskJGooUZjBMu7hk+gBvzQ== X-Received: by 2002:a17:90a:b003:: with SMTP id x3mr34959584pjq.101.1571039253035; Mon, 14 Oct 2019 00:47:33 -0700 (PDT) Received: from Stas-Mac.local (ec2-34-209-88-149.us-west-2.compute.amazonaws.com. [34.209.88.149]) by smtp.gmail.com with ESMTPSA id i184sm18865849pge.5.2019.10.14.00.47.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Oct 2019 00:47:32 -0700 (PDT) To: Joe Watkins , PHP internals References: Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata= xsJuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ 5QrdmE0/Bc0yU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls LmNvbT7CegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv vsZEj3E7i3h+iD5648YMwfTFCij+zsFNBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK AGf2Ldr/dRwXwmEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw Message-ID: <3cb8613b-d685-0f4e-8e60-eeb0ed78b325@gmail.com> Date: Mon, 14 Oct 2019 00:47:31 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.1.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Envelope-From: Subject: Re: [PHP-DEV] FFI & Security From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Recently we voted on classification criteria for security bugs [1], we > include under "not an issue" any issue that "requires invocation of > specific code, which may be valid but is obviously malicious". > > I would like to add an explicit clause under the "not an issue" section for > anything related to FFI. I agree, most of the issues with regard to FFI would not qualify as security issues, and we may as well state that explicitly. -- Stas Malyshev smalyshev@gmail.com