Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121145
Return-Path: <landers.robert@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85163 invoked from network); 26 Sep 2023 09:43:04 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 26 Sep 2023 09:43:04 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 766D91804AC
	for <internals@lists.php.net>; Tue, 26 Sep 2023 02:43:03 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <landers.robert@gmail.com>
Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 26 Sep 2023 02:43:03 -0700 (PDT)
Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-6c21b2c6868so4132287a34.1
        for <internals@lists.php.net>; Tue, 26 Sep 2023 02:43:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695721382; x=1696326182; darn=lists.php.net;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tNwhJUFP/vpWvaLzv3dAAy+F/Kp9zEwC4/0FD/I7aSw=;
        b=UgRm7lgUHgl37ujK+j2aHyqJgu7PjXn7p6KuysOodHZ/qGclUsGAeBu2tN/0UWt3qz
         h+dHNFHH+F2JwcDSOsSRldWYrBWuGbnIx+Ox3wVXJsNN0OiT5DH5gYZkB5juFQ9l5mKR
         /tLo/XM2a1+kjAvyvvMAjtufOCOKr6vPsj31M+nlKaym6gHrBXyXeWyLmfil3pulxxTo
         5Q+aSkTMee65m6r008AQoCi391r8m/m45wbrp+l8R5D5yQnE6ShbuWokd9EGhSjIy3rX
         ggGk+Ufzha2rk8BFKV9BTUmFrghNT0v7tpy+6edQorrjXFiKxq0m5JxC03/BXqe+xwuk
         CZZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695721382; x=1696326182;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=tNwhJUFP/vpWvaLzv3dAAy+F/Kp9zEwC4/0FD/I7aSw=;
        b=JMF21HdSp5WErVKz7Kqalxfn+9kggxQ3WdiF93aEYBl33NFsdUhdblIYsZjlDa5Xow
         8kVxiY+ucNQ+ZQ1L2/yJQ2ITAszSRLZZgjtWIVdK3FFaqxQhCne0VgRFJMajHDX7ulCh
         /9/NKnxnXLp2PfApmjDb2sNdpNO9Jzmo4evWTOX/1ABcmqldqbvcvY6QzdqpNYKz8flF
         NxnV972ksbvnu1Usj8ZUXsUaDbUk5U6r9rOfZpxeFDR5F1k3ry/vZgja/hQDL1nEyD7R
         AOVWHVgvN8955ITYiXRX6ZG4HQeABFgQQjjw7UdB9NNPxLMtiDrKMLCV9vBfiIDKBBHX
         McWw==
X-Gm-Message-State: AOJu0YyhbevKtqVmon6fBUR66K3hNAEBnfVzM4cX2USbNHaDVSJ6jeAx
	qhzevRfQXNmBveLV6y3ZxTvzGaHXJfEn3eByTjy+6TxA/IWYWg==
X-Google-Smtp-Source: AGHT+IEjqd1WwGoPnsMFb164K4PWl60dof4rk1I/S2ucYEueIdiXrOZ5TzVX7rRzZxcAjVPXKrX5jzpBoWkZlbHKlQk=
X-Received: by 2002:a9d:7d07:0:b0:6b8:9932:b8ad with SMTP id
 v7-20020a9d7d07000000b006b89932b8admr8576190otn.1.1695721382031; Tue, 26 Sep
 2023 02:43:02 -0700 (PDT)
MIME-Version: 1.0
References: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
In-Reply-To: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
Date: Tue, 26 Sep 2023 11:42:50 +0200
Message-ID: <CAPzBOBPE_0Q=vrW1Hmjj1+eaW39UZR4Yp9g0hQpY8oLAQmr=Sg@mail.gmail.com>
To: Derick Rethans <derick@php.net>
Cc: PHP Developers Mailing List <internals@lists.php.net>, PHP Security List <security@php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Security Audit Priorities
From: landers.robert@gmail.com (Robert Landers)

On Mon, Sep 25, 2023 at 10:49=E2=80=AFAM Derick Rethans <derick@php.net> wr=
ote:
>
> Hi,
>
> The Foundation is organising an external audit/security check of the PHP
> source code. As part of that, we would like to identify the places in
> the PHP source code where checking this will have the most impact.
>
> Typical areas would be where user input can be (automatically read) remot=
ely, such as
> our RFC 1867 HTTP header parser. But we are sure there are other
> important areas as well, and we would like your input.
>
> So, if you can suggest an area where doing an external review would have
> high impact, please reply to this email.
>
> cheers,
> Derick
>
> --
> https://derickrethans.nl | https://xdebug.org | https://dram.io
>
> Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/sup=
port
> Host of PHP Internals News: https://phpinternals.news
>
> mastodon: @derickr@phpc.social @xdebug@phpc.social
> twitter: @derickr and @xdebug
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>

Possible the spl extension. Most of that memory lives outside of PHP
during runtime and is invisible to the engine, IIRC. Lots of people
put random user-input in the objects there.



Robert Landers
Software Engineer
Utrecht NL