Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121198
Return-Path: <dusk@woofle.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33862 invoked from network); 1 Oct 2023 04:46:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Oct 2023 04:46:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5963518050B
	for <internals@lists.php.net>; Sat, 30 Sep 2023 21:46:14 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS63949 74.207.240.0/20
X-Spam-Virus: No
X-Envelope-From: <dusk@woofle.net>
Received: from malamute.woofle.net (woofle.net [74.207.252.100])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 30 Sep 2023 21:46:13 -0700 (PDT)
Received: by malamute.woofle.net (Postfix) with ESMTPSA id A270F1F132;
	Sat, 30 Sep 2023 21:46:12 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
In-Reply-To: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
Date: Sat, 30 Sep 2023 21:46:02 -0700
Cc: PHP Developers Mailing List <internals@lists.php.net>,
 PHP Security List <security@php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <B0A69F22-BBFD-41D8-A8C3-E375B427553D@woofle.net>
References: <98cb519e-4b45-5069-9f48-6e78dddf3284@php.net>
To: Derick Rethans <derick@php.net>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Subject: Re: [PHP-DEV] Security Audit Priorities
From: dusk@woofle.net (Dusk)

On Sep 25, 2023, at 01:49, Derick Rethans <derick@php.net> wrote:
> The Foundation is organising an external audit/security check of the =
PHP=20
> source code. As part of that, we would like to identify the places in=20=

> the PHP source code where checking this will have the most impact.

String parsing functions. Not just for outright vulnerabilities, but =
also for logical errors which can make them behave differently from =
other implementations, or make them behave in unexpected ways when =
presented with unusual inputs.

A couple of important examples that come to mind are:

* the HTTP stream wrapper

* json_encode/decode/etc

* parse_url - particularly as compared to the HTML5 URL parser spec

* strip_tags - similarly, compare to HTML5 tag parsing

* htmlentity_decode, htmlspecialchars_decode=