FFI & Security - Externals

5 years ago by Joe Watkins — view source

unread

Morning all,

Recently we voted on classification criteria for security bugs [1], we
include under "not an issue" any issue that "requires invocation of
specific code, which may be valid but is obviously malicious".

I would like to add an explicit clause under the "not an issue" section for
anything related to FFI.

It hardly seems worth it to run an RFC, although I'll be happy too if there
is a single dissenting voice.

If there are no objections, I'll modify the document 7 days from today
(Monday 21st October).

Cheers
Joe

[1] https://wiki.php.net/security

5 years ago by Stanislav Malyshev — view source

unread

Hi!

Recently we voted on classification criteria for security bugs [1], we
include under "not an issue" any issue that "requires invocation of
specific code, which may be valid but is obviously malicious".

I would like to add an explicit clause under the "not an issue" section for
anything related to FFI.

I agree, most of the issues with regard to FFI would not qualify as
security issues, and we may as well state that explicitly.

--
Stas Malyshev
smalyshev@gmail.com

5 years ago by Christoph M. Becker — view source

unread

Recently we voted on classification criteria for security bugs [1], we
include under "not an issue" any issue that "requires invocation of
specific code, which may be valid but is obviously malicious".

I would like to add an explicit clause under the "not an issue" section for
anything related to FFI.

It hardly seems worth it to run an RFC, although I'll be happy too if there
is a single dissenting voice.

If there are no objections, I'll modify the document 7 days from today
(Monday 21st October).

Cheers
Joe

[1] https://wiki.php.net/security

What is the status here? It seems the security classification document
has not yet been updated.

Cheers,
Christoph

5 years ago by Joe Watkins — view source

unread

Morning internals,

Sorry about the delay, this has now been updated.

There was an unexpected problem communicating with SMTP: Unexpected
return code - Expected: 250, Got: 451 | 451 4.3.0 Error: queue file write
error

Because infrastructure ...

Cheers
Joe

Recently we voted on classification criteria for security bugs [1], we
include under "not an issue" any issue that "requires invocation of
specific code, which may be valid but is obviously malicious".

I would like to add an explicit clause under the "not an issue" section
for
anything related to FFI.

It hardly seems worth it to run an RFC, although I'll be happy too if
there
is a single dissenting voice.

If there are no objections, I'll modify the document 7 days from today
(Monday 21st October).

Cheers
Joe

[1] https://wiki.php.net/security

What is the status here? It seems the security classification document
has not yet been updated.

Cheers,
Christoph