security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
security [2016/11/05 19:10] – I think we should decide on severity and disclosure, to avoid misunderstanding stas | security [2023/03/20 06:39] – stas | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Meta ====== | ||
+ | |||
+ | * Authors: Release Managers | ||
+ | * Date: November 2016 | ||
+ | * Version: 1.0.1 | ||
+ | * RFC: [[rfc: | ||
+ | |||
+ | ====== Introduction ====== | ||
+ | |||
For the sake of our users, we classify some of the issues found in PHP as " | For the sake of our users, we classify some of the issues found in PHP as " | ||
Line 29: | Line 38: | ||
This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. | This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. | ||
- | This kind of issues usually | + | This kind of issues usually |
===== Medium severity ===== | ===== Medium severity ===== | ||
Line 45: | Line 54: | ||
===== Low severity ===== | ===== Low severity ===== | ||
- | This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present. | + | This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present |
This also includes problems with configuration, | This also includes problems with configuration, | ||
Line 59: | Line 68: | ||
We do not classify as a security issue any issue that: | We do not classify as a security issue any issue that: | ||
- | * requires invocation of specific code (unless it is a very simple frequently used code, such as starting a session, calling a constructor, | + | * requires invocation of specific code, which may be valid but is obviously malicious |
- | * requires invocation of functions with specific arguments | + | * requires invocation of functions with specific arguments, which may be valid but are obviously malicious |
- | * requires specific actions to be performed on the server | + | * requires specific actions to be performed on the server, which are not commonly performed, or are not commonly |
* requires privileges superior to that of the user (uid) executing PHP | * requires privileges superior to that of the user (uid) executing PHP | ||
* requires the use of debugging facilities - ex. xdebug, var_dump | * requires the use of debugging facilities - ex. xdebug, var_dump | ||
* requires the use of settings not recommended for production - ex. error reporting to output | * requires the use of settings not recommended for production - ex. error reporting to output | ||
* requires the use of non-standard environment variables - ex. USE_ZEND_ALLOC | * requires the use of non-standard environment variables - ex. USE_ZEND_ALLOC | ||
- | * requires the use of non-standard builds | + | * requires the use of non-standard builds |
* requires the use of code or settings known to be insecure | * requires the use of code or settings known to be insecure | ||
+ | * requires the use of FFI | ||
+ | * requires an open_basedir bypass | ||
+ | |||
====== Handling issues ====== | ====== Handling issues ====== | ||
Line 74: | Line 86: | ||
Low severity fixes are merged immediately after the fix is available and handled like all regular bugs are handled consequently. However, release managers may choose to pull those fixes into the RC branch after the branch is created, and also backport them into security-only release branch. | Low severity fixes are merged immediately after the fix is available and handled like all regular bugs are handled consequently. However, release managers may choose to pull those fixes into the RC branch after the branch is created, and also backport them into security-only release branch. | ||
+ | |||
====== FAQ ====== | ====== FAQ ====== | ||
Q. How do I report a security issue?\\ | Q. How do I report a security issue?\\ | ||
- | A. Please report it on http:// | + | A. Please report it on http:// |
Q. What do you consider a responsible disclosure? | Q. What do you consider a responsible disclosure? |
security.txt · Last modified: 2024/01/30 17:35 by derick