Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121155
Return-Path: <smalyshev@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 69159 invoked from network); 27 Sep 2023 17:10:54 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Sep 2023 17:10:54 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 85246180546
	for <internals@lists.php.net>; Wed, 27 Sep 2023 10:10:53 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <smalyshev@gmail.com>
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 27 Sep 2023 10:10:52 -0700 (PDT)
Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-690bf8fdd1aso9310321b3a.2
        for <internals@lists.php.net>; Wed, 27 Sep 2023 10:10:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695834650; x=1696439450; darn=lists.php.net;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id:from
         :to:cc:subject:date:message-id:reply-to;
        bh=uvmDJ/pJtLzobWHh4pYqfDXJc7M0HycOV9FxRNrpOg0=;
        b=E52vp8/DvRrCrNsj33K1EJk50TYtp6/IWWeNluHrr8Pz0zIIXwyquban0VDUCXtn6W
         CpGXbMmg2EkffKnUOkmBCtvKznjJNGHisyqPV8/FSUdp3FvRk5B+GhftT6Ju1KLoMe8o
         S3dlEl92HYyoaspKCJ8oU6MV3oAJgDQPSEsa9/ZVYKu8X5LWx07YkM75kxFWpE5g4IG7
         bXUG0lnuBFRX5O+s5pfQMfeagg0TIULRZoXIQxvbTSk03nCTxLqAltOdMcrFcua5YGOH
         XeJBiXZ4KksnX/wWjP+0AmpXjha++fTEJ9PZda0Uh0l+gWv93AFuXo/oG/RZI/VKRxXA
         kh9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695834650; x=1696439450;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=uvmDJ/pJtLzobWHh4pYqfDXJc7M0HycOV9FxRNrpOg0=;
        b=DF/eEg+T4Jm6gBO5io5NvcJA0akPL9gr91nyuXylKmWULtdeEANvgPNrF12Za3qekl
         C0BmYpNUJkfrQs92msuO2/8tFXe1nSpNG1KR6SZfScR1GtZGoowZ6Fas0+j6y0oAZv4g
         QsPB7+Mjq1bcME1trteYAs1rO2m3taSXLJo4wAQaf1FaDebVpnvsroCISVM3dGareFnp
         3HPWcUMFQZYjicQP9ktQuDxGopm6wn70dq+PbIgiWZNHPP646M1pNtS2Os4YV/2O0eZg
         ZGn1NBPZrWzkUlThC0570HIes8F/G/NblpWHQJDtlZpXbsvB7FoeYghD6pelGD5lv1/2
         y3ZQ==
X-Gm-Message-State: AOJu0YzxsmF083mxx6iI+0pwtdIdoqtfIejM0Dk0AfB+GMpIJkTlbhzm
	vyx0MTToKz5MLEFen7mmCJ9K4xNw7U9F
X-Google-Smtp-Source: AGHT+IG+/O1whsAXVoZjER3dibuT5sUoffMOW/ovZf+WslFa6O+67sQGf85K1iHs/sg5VPpbFrM2BQ==
X-Received: by 2002:a05:6a00:23d0:b0:68e:2b17:a729 with SMTP id g16-20020a056a0023d000b0068e2b17a729mr2627331pfc.24.1695834650325;
        Wed, 27 Sep 2023 10:10:50 -0700 (PDT)
Received: from [10.230.0.28] (ec2-44-226-106-152.us-west-2.compute.amazonaws.com. [44.226.106.152])
        by smtp.gmail.com with ESMTPSA id q26-20020a62ae1a000000b00689f1ce7dacsm12093376pff.23.2023.09.27.10.10.48
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 27 Sep 2023 10:10:48 -0700 (PDT)
Message-ID: <87810017-e1f6-b1e7-641c-78643a554644@gmail.com>
Date: Wed, 27 Sep 2023 11:10:47 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Firefox/102.0 Thunderbird/102.15.1
To: internals@lists.php.net
References: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
 <c09b8f7b-8081-ff3a-2ee6-223ea4bb5a45@bastelstu.be>
 <3c2536fd-5c65-4364-8693-f0047fef8ebc@gmail.com>
Content-Language: en-US
In-Reply-To: <3c2536fd-5c65-4364-8693-f0047fef8ebc@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Security Audit Priorities
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> This reminds me of something.
> There's an interesting paper about ReDoS resilience in different regex engines.
> Some programming languages, including PHP, are evaluated there and compared: https://www.usenix.org/system/files/sec22-turonova.pdf
> PHP has some configuration knobs for pcre (https://www.php.net/manual/en/pcre.configuration.php), not a lot to tune but maybe they can be?
> To be honest, I haven't looked much into this.

Interesting topics, but I think not the top priority for the security 
audit, due to the fact that in PHP common use, regexps rarely come from 
a third party, and if they do (e.g. if you're writing a RE-driven search 
engine) you'd probably have potentially expensive searches anyway and 
thus make some ways to deal with it.

In general, I think there are two security aspects we're dealing with - 
one is guarding PHP user from a hostile third party, and another is 
guarding PHP developer from writing the code that may expose the end 
user. I think the former is the higher priority, though both are 
ultimately important.

Thanks,
-- 
Stas Malyshev
smalyshev@gmail.com