Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88017 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40116 invoked from network); 3 Sep 2015 01:21:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Sep 2015 01:21:16 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.177 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.177 mail-yk0-f177.google.com Received: from [209.85.160.177] ([209.85.160.177:34567] helo=mail-yk0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/D3-10015-B80A7E55 for ; Wed, 02 Sep 2015 21:21:16 -0400 Received: by ykdg206 with SMTP id g206so29024217ykd.1 for ; Wed, 02 Sep 2015 18:21:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=QRH6WlOiXmsoc38DpF0PTSnpjwFTF2fy6o+n44oPfVo=; b=RmEp6cOAwK1Pwe+Uq3EfuHyOnoOzukUhz231RWFUJwbPmnSXQexTMyqfK6RqTYQ2Tb BQu5iI2mF0Q2IoIeXhmxgeX8Jjp2Iw2IkrtFFyvUw4cJysOOIJ6r45vULmPepyBcq5Rw Le0L3kvXrG0rssH1svI9qneNKJlK1Dd3vgDGK4HMxP4b473ejUX0H9XXxgomft6ndvHl fU3bUR8mQ0kBHol0s6yfiK6gW6bGe/VHli1cHfWUg+BLE/LKfIQyrd26w8gZMwWVNzhZ iqGR4MNxqtI1h/VGO0gupxN6C9YO2bcNLh19UjHOKumSr4Je0kBkBS87D07cZs04XZFb 6tiw== X-Received: by 10.170.52.7 with SMTP id 7mr7550366yku.74.1441243272503; Wed, 02 Sep 2015 18:21:12 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.57.215 with HTTP; Wed, 2 Sep 2015 18:20:33 -0700 (PDT) In-Reply-To: References: <55E610C1.1000203@gmail.com> Date: Thu, 3 Sep 2015 10:20:33 +0900 X-Google-Sender-Auth: dwIgnoGh7aL6k3u58kjYncHSPj0 Message-ID: To: Stanislav Malyshev Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Heads up: merging security patches to 7 From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Wed, Sep 2, 2015 at 7:17 AM, Yasuo Ohgaki wrote: > There are many fixes regarding unserialize. > We also had many fixes regarding type mismatches. > I suppose many 3rd party modules have same issues. > > How about have a doc for secure PHP internal coding? I'm writing the draft. I see number of var_push_dtor() to fix unserialization. var_push_dtor() or var_push_dtor_no_addref() is required always when php_var_unserialize() is failed. Am I correct? It will cover - Pointers to general secure programming resources - Basic memory management and debugging (how to use run-tests.php) - Unserialization - Type confusion - Typical overflows If there is anything to add, please let me know. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net