Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121154
Return-Path: <dossche.niels@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65457 invoked from network); 27 Sep 2023 15:58:19 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Sep 2023 15:58:19 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1FE5118054A
	for <internals@lists.php.net>; Wed, 27 Sep 2023 08:58:19 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <dossche.niels@gmail.com>
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 27 Sep 2023 08:58:18 -0700 (PDT)
Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-405524e6740so94943755e9.1
        for <internals@lists.php.net>; Wed, 27 Sep 2023 08:58:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695830297; x=1696435097; darn=lists.php.net;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id:from
         :to:cc:subject:date:message-id:reply-to;
        bh=qDOAtMDHxRnr8fTRkGEJ+JOzuoutxTcp/ir5OP6orRQ=;
        b=INacpHnOOeQUbGC2zlw1R59LY+DuXbIZ5dH8IjU4bEPe4No+iHM6NcDG9EWik+BVie
         SqiSr254IA70EC7JVKYm/tU1gJTL+tPI7OR+yb9+hKNZ3ETac1bCfMukcrIhT8Zc1V/g
         ZaNRqVeougXiU8wUGbFDwsKJxJr1xe0OqeAxaO8vvDThjGwUq1XxHFYno4bPGwUh6UV3
         I8pcdWF1aF10jUevWa6aR3jXX4PPrSdjMeTXjHxJO/ipPA3UCTiAxmLFwzdUO7zWu16E
         ORVloIWaFn2avLNPMJuwUxSmftY5MpAJAGbotnJYi0JDieRQPy3NEKlu4DRwk9h5tlQ6
         uH2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695830297; x=1696435097;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=qDOAtMDHxRnr8fTRkGEJ+JOzuoutxTcp/ir5OP6orRQ=;
        b=TQJzXzP49qMJpsWf15GOA66r2H3BXC0c2xLpkXpHPKSOHwwi2O8qiTPk77lUQzdKrI
         gERz2JYDC3BbinVqyFqxPypUN0M3LEdrlkTvPise/lzQn2VEOBIU1WBjNNDJgAb9ILcZ
         B/ZfaZjb9Pdn2nccAXLjelt27XuLx6Z2vHJFJqXFGskBrcYKNC7dtGRpWvyVppCYMY36
         E8hSZJ17lclmHskhjeKIk36F5Z5vN2O3bFdb2FdBHf7fJ2AjhiCfwqY8ScqrrjEhA3wP
         pLBfDka0HICABb66LnWe5mBe+G85Vx7CrPncBL5iz2AkM0ZkYjB58Wjr4lIcNwa5B/Uz
         Npzg==
X-Gm-Message-State: AOJu0YwqLHhY9MYXKyzrWUFRX5uWtxpWez4MirnJrQ/MP6u74LPEl+Nw
	4y42iIFXdWZ6zOTXOQFkKK0eoBAWtzk=
X-Google-Smtp-Source: AGHT+IEfiCXywgwjd8/uYwVe3I12loWPSsuJSE8f73HzRT7UHO06aMAiqxdONCyTXDOt0E4AhrW1eA==
X-Received: by 2002:a05:600c:5114:b0:406:478e:9e2d with SMTP id o20-20020a05600c511400b00406478e9e2dmr1442771wms.26.1695830296994;
        Wed, 27 Sep 2023 08:58:16 -0700 (PDT)
Received: from ?IPV6:2a02:1811:cc83:ee50:280e:1e36:3a00:824? (ptr-dtfv08akcem5xburtic.18120a2.ip6.access.telenet.be. [2a02:1811:cc83:ee50:280e:1e36:3a00:824])
        by smtp.gmail.com with ESMTPSA id 3-20020a05600c234300b004013797efb6sm21172517wmq.9.2023.09.27.08.58.15
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 27 Sep 2023 08:58:16 -0700 (PDT)
Message-ID: <3c2536fd-5c65-4364-8693-f0047fef8ebc@gmail.com>
Date: Wed, 27 Sep 2023 17:58:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: internals@lists.php.net
References: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
 <c09b8f7b-8081-ff3a-2ee6-223ea4bb5a45@bastelstu.be>
Content-Language: en-US
In-Reply-To: <c09b8f7b-8081-ff3a-2ee6-223ea4bb5a45@bastelstu.be>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Security Audit Priorities
From: dossche.niels@gmail.com (Niels Dossche)

Hi

On 25/09/2023 17:33, Tim Düsterhus wrote:
> Hi
> 
> On 9/25/23 10:49, Derick Rethans wrote:
>> So, if you can suggest an area where doing an external review would have
>> high impact, please reply to this email.
> 
> Some things from top of my head in arbitrary order. Not all of them are necessarily important themselves per se, but rather intended to spark additional thoughts.
> 
> - Footguns in the default configuration / tunables / php.ini [1]

This reminds me of something.
There's an interesting paper about ReDoS resilience in different regex engines.
Some programming languages, including PHP, are evaluated there and compared: https://www.usenix.org/system/files/sec22-turonova.pdf
PHP has some configuration knobs for pcre (https://www.php.net/manual/en/pcre.configuration.php), not a lot to tune but maybe they can be?
To be honest, I haven't looked much into this.

> - MySQL Native Driver
> - password_* [1]
> - hash_equals()
> - ext/json, specifically json_decode()
> - The CSPRNG (ext/random/csprng.c)
> - bin2hex, base64_encode [2]
> - Open-ended: Misuse resistance of existing functions - Is it possible for a user to not properly check a return value and would this result in harm (i.e. should the function throw, but does not yet)?
> 
> Best regards
> Tim Düsterhus
> 
> [1] These tie a little into my https://wiki.php.net/rfc/bcrypt_cost_2023 RFC, which is not code but configuration.
> [2] Should these be made constant-time / should constant-time implementations always be available? See: https://github.com/paragonie/constant_time_encoding
> 

Cheers
Niels