Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121137
Return-Path: <divinity76@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28007 invoked from network); 25 Sep 2023 13:14:03 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 25 Sep 2023 13:14:03 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 6A89F180506
	for <internals@lists.php.net>; Mon, 25 Sep 2023 06:14:02 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-oo1-f46.google.com (mail-oo1-f46.google.com [209.85.161.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 25 Sep 2023 06:14:01 -0700 (PDT)
Received: by mail-oo1-f46.google.com with SMTP id 006d021491bc7-57bbb38d5d4so1206609eaf.2
        for <internals@lists.php.net>; Mon, 25 Sep 2023 06:14:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695647641; x=1696252441; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=8v506YJ1+XprlpeKGE/6Fh6Mp4p5/AfzZu40tmloBTY=;
        b=nq9i/vWZ/WyE90ql93lpyD2FtWfxbUcxpqDGcRqKaBQtl2BQDkjlas6Wf26YL1qVpt
         Us/4imgDIxPC4bm+Gm6j8ILLNFkQg/2yoPfMwQl/ajUPhIL2Ea+tTlR58vk5zjQKThXT
         1Tn4gg7qzVpPqznJFBMGo/qwKM2XyMmkXpdb71ewQ/PVqnl40TyAChzZK+O0Az/OoOl2
         k5Y+nCxhVKdZPoELu/xjSDiRRhaxoNWMwk+3SabKDcE5+0cLBEJPx1/Zs2ylzQu1TwRn
         bR76TIXQCIfaiKMV/S6JQly0TZtlKpVb2rphwnjR3DztgcuGxTXug0yOd3zUJQC8Vz61
         tPIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695647641; x=1696252441;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8v506YJ1+XprlpeKGE/6Fh6Mp4p5/AfzZu40tmloBTY=;
        b=WgQKcBwZr9AiMTK5HqEGuIS/GwVHXSfjBJhnynhvLWyk3HvEz4VaB1kQElZHB+PMsM
         4olMKV1Wb7veCIsvKxsLK43veTDR9EdIepA4kQyqPU7S6y3NxDDa+mQ3Ixc47r4HOX4Y
         Qh8prSIrhS5i0FcFaPhl7KvXctI0hz4rZ7zHKo3EDBg1DHYhi0d+iEd9v+FKDB7/ubQ4
         iSCAd3sotk1e6bG8100Wt+Y3bEIOe0bRUg/RAx+5VoEFx9oUt31qOE6G/P66ECYANZ3K
         hQi0uukQ5k9a8nMSN5U5AY30tBHGUK4ZTX+qHHIqH5Bf0TVlI51Mx7d15tLOdYLuvgWO
         19FQ==
X-Gm-Message-State: AOJu0YzdegtufPlI7/4ANzNg9uyYm29yvac+D/2RvTDmbemszNZsmDE0
	UTv88yMva8SJxLFriP5jsgjhqbInKmqBzFn+Re8=
X-Google-Smtp-Source: AGHT+IE5TVvljG1OKjiENyMeFXJ5tPmCKAsIfTUn22TeMg0kkaIDTfEKC9t2yr+1he+xyKVl4RboPMQXLcI6Dw/juh0=
X-Received: by 2002:a4a:9b0b:0:b0:56c:a41c:f264 with SMTP id
 a11-20020a4a9b0b000000b0056ca41cf264mr6130237ook.8.1695647640921; Mon, 25 Sep
 2023 06:14:00 -0700 (PDT)
MIME-Version: 1.0
References: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
In-Reply-To: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
Date: Mon, 25 Sep 2023 15:13:24 +0200
Message-ID: <CAJmy8YESp+qup1+un3dPh9zahUwjWcgexo3qjDW8cgjFndB7+A@mail.gmail.com>
To: Derick Rethans <derick@php.net>
Cc: PHP Developers Mailing List <internals@lists.php.net>, PHP Security List <security@php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Security Audit Priorities
From: divinity76@gmail.com (Hans Henrik Bergan)

the php-fpm master<->php-fpm worker glue code. php-fpm master usually
runs as *root*, so a compromise in that glue could lead to webserver
rooting

On Mon, 25 Sept 2023 at 10:49, Derick Rethans <derick@php.net> wrote:
>
> Hi,
>
> The Foundation is organising an external audit/security check of the PHP
> source code. As part of that, we would like to identify the places in
> the PHP source code where checking this will have the most impact.
>
> Typical areas would be where user input can be (automatically read) remotely, such as
> our RFC 1867 HTTP header parser. But we are sure there are other
> important areas as well, and we would like your input.
>
> So, if you can suggest an area where doing an external review would have
> high impact, please reply to this email.
>
> cheers,
> Derick
>
> --
> https://derickrethans.nl | https://xdebug.org | https://dram.io
>
> Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/support
> Host of PHP Internals News: https://phpinternals.news
>
> mastodon: @derickr@phpc.social @xdebug@phpc.social
> twitter: @derickr and @xdebug
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>