Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72564 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39130 invoked from network); 13 Feb 2014 21:14:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Feb 2014 21:14:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.173 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.214.173 mail-ob0-f173.google.com Received: from [209.85.214.173] ([209.85.214.173:45530] helo=mail-ob0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3F/0B-09050-6A53DF25 for ; Thu, 13 Feb 2014 16:14:14 -0500 Received: by mail-ob0-f173.google.com with SMTP id vb8so13023490obc.32 for ; Thu, 13 Feb 2014 13:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=z2h224QeYZKGeAnwVT46SAiYRBtHnEKcCqx8YlqOkLk=; b=cJr/CmWcZBG8vNg4khfLTAHakJ8nocxFW7az/yRHlamhWGUpm04QpSi8U5Tt7ik3d4 eKrZMwfrF6pOusUf6H27PQ34G6HO1USNwUKGbJHARsCWD5wPg1z4ciGUhlyinIuovirs YIwJBhGqwiZ0fx3lRerCeIQaBQ329YV8sQ7KGxI6db/UUHkUTftKtpkKzXprpDoOp9Iz KAQJQnJcpf5cZr16A3/KlKdpxxh5V7sip7VXYm9rOsifYUePqEef2K5L69kU2xkGD2rq b9WnZgyM596C4w/lnNws8lxr/8NwNap3e0JfEA4vVgTEaYoNFdwyQ9ttV4gkjd77Feiq A/Sg== MIME-Version: 1.0 X-Received: by 10.60.94.175 with SMTP id dd15mr3086226oeb.56.1392326051870; Thu, 13 Feb 2014 13:14:11 -0800 (PST) Received: by 10.182.54.112 with HTTP; Thu, 13 Feb 2014 13:14:11 -0800 (PST) In-Reply-To: References: Date: Thu, 13 Feb 2014 22:14:11 +0100 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e01182660bbbe9504f2502b63 Subject: Re: [PHP-DEV] [VOTE] Multbye char handling - Remove vulnerability related to multibyte short and long term From: nikita.ppv@gmail.com (Nikita Popov) --089e01182660bbbe9504f2502b63 Content-Type: text/plain; charset=ISO-8859-1 On Mon, Feb 10, 2014 at 4:56 AM, Yasuo Ohgaki wrote: > Hi all, > > Current PHP has security issue that attacker may execute arbitrarily script > via encoding based attack. These 2 RFCs are for short and long term > resolution for this issue. > > > > Short term: Multibyte Char Handling > https://wiki.php.net/rfc/multibyte_char_handling > Add functions required to resolve security issues. CVE-2014-1239 > > > Long term: Alternative implementation of mbstring using ICU > https://wiki.php.net/rfc/altmbstring > We need multibyte feature as default. However, current mbstring has license > issues. Resolve license issues by alternative mbstring in the future. > Introduce mbstring-ng as EXPERIMENTAL module for further development, > testing, feedback from users. > > VOTE: 2014/02/10 - 2014/02/17 > > > > Please note that these RFCs are independent from whether PHP is going to > support Unicode in core or not. It's about how PHP provides required > features. Even when PHP supports UTF-8 as string encoding, these multibyte > features are required. Otherwise, encoding parameter/property is mandatory > for core multibyte support. We need to support existing applications long > term also. > > Since it is security related issue, please provide/propose alternative > resolution if anyone feels it is not the way to go. There must be feasible > resolution. > > Thank you for voting and/or alternative proposal! > Even though alternative is better to proposed during discussion period, > better alternative is welcomed at anytime. > > Regards, > > P.S. We are better to have comment field in RFC. It is not constructive > just voting "No" without reason/alternative. Alternatively, we may have > rule > to post mail here explains the reason why. > I voted no on both RFCs, for about the same reasons as Joe. Voting on mbstring-ng at this point makes about zero sense, given that the code is nowhere even near being ready for merging into PHP. Regarding the other RFC for the addition of new mb_* function, I'd like to start off by saying that I disagree with your premise that this is a security vulnerability that needs to be fixed quickly and across all supported versions. As far as I can see the issue is somebody using addslashes() in an inappropriate context - this is a vulnerability in the application, not PHP. This is a lot like saying that we have an RCE vulnerability in eval() because someone had the genius idea of putting eval($_GET['str']) in his or her code. As this constitutes no critical or non-critical vulnerability in PHP, any function additions should only happen in PHP 5.6 and not PHP 5.4+. Apart from this, the RFC is very low on technical detail. It doesn't have a patch, which is not a problem *per-se*, however it doesn't have any implementational details whatsoever. While I guess that the addslashes part is rather straightforward, I'm sure that addcslashes, escapeshellarg and var_export are less trivial. An example of what is unclear: The addclashes functions has a charlist parameter. Currently chars with ASCII <32, >126 are encoded in octal - what will happen here with multibyte chars? Will you encode the unicode code point in octal? Are there even systems that support that? And what about the range feature? Will this cover unicode code point ranges now? Etc. This RFC probably has merit, but right now there is not enough detail to make an informed decision. Thanks, Nikita --089e01182660bbbe9504f2502b63--