Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121138
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36004 invoked from network); 25 Sep 2023 15:33:08 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 25 Sep 2023 15:33:08 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C9A8A1804AC
	for <internals@lists.php.net>; Mon, 25 Sep 2023 08:33:07 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 25 Sep 2023 08:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1695655983;
	bh=wROILOJ7kK9/z6/rjdxCOdh5mI8U8VeS+CwN/PELaHo=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=feCGzp2eOY7vPo/1WsfYTSfWV7f6vpNo73XqmgVFre4ghF2mvvJnXe93mirphp6+0
	 nuKCvHJkQsvjVO2ujt+iv1hdNckdqZlWvauHkJWRbTEy4PQSxm/oprOgsINmUGvKRP
	 VW+ovMXsVNzhmPkX3/RdwgmeA2gBb255zLhfv1aDogpAy+J4VGtxH/h4AAaF595s6+
	 jcRUMUkfkAPrSHe2ctG+jgeYjhmWXHZJhj1dwUDVyeUTsW0/Y3DGqGzT4JBEgTulEM
	 kr7kGo00W/AwkAc8PRVetFvpFMOOxb82v2PyKI8p76BxwiPeSKVNEh7YjQaYWjAuwH
	 WhbuRydJusX4g==
Message-ID: <c09b8f7b-8081-ff3a-2ee6-223ea4bb5a45@bastelstu.be>
Date: Mon, 25 Sep 2023 17:33:00 +0200
MIME-Version: 1.0
To: internals@lists.php.net
References: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
Content-Language: en-US
In-Reply-To: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Security Audit Priorities
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/25/23 10:49, Derick Rethans wrote:
> So, if you can suggest an area where doing an external review would have
> high impact, please reply to this email.

Some things from top of my head in arbitrary order. Not all of them are 
necessarily important themselves per se, but rather intended to spark 
additional thoughts.

- Footguns in the default configuration / tunables / php.ini [1]
- MySQL Native Driver
- password_* [1]
- hash_equals()
- ext/json, specifically json_decode()
- The CSPRNG (ext/random/csprng.c)
- bin2hex, base64_encode [2]
- Open-ended: Misuse resistance of existing functions - Is it possible 
for a user to not properly check a return value and would this result in 
harm (i.e. should the function throw, but does not yet)?

Best regards
Tim Düsterhus

[1] These tie a little into my https://wiki.php.net/rfc/bcrypt_cost_2023 
RFC, which is not code but configuration.
[2] Should these be made constant-time / should constant-time 
implementations always be available? See: 
https://github.com/paragonie/constant_time_encoding