FFI & Security

  107534
October 14, 2019 07:44 krakjoe@php.net (Joe Watkins)
Morning all,

Recently we voted on classification criteria for security bugs [1], we
include under "not an issue" any issue that "requires invocation of
specific code, which may be valid but is obviously malicious".

I would like to add an explicit clause under the "not an issue" section for
anything related to FFI.

It hardly seems worth it to run an RFC, although I'll be happy too if there
is a single dissenting voice.

If there are no objections, I'll modify the document 7 days from today
(Monday 21st October).

Cheers
Joe

[1] https://wiki.php.net/security
  107535
October 14, 2019 07:47 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

> Recently we voted on classification criteria for security bugs [1], we > include under "not an issue" any issue that "requires invocation of > specific code, which may be valid but is obviously malicious". > > I would like to add an explicit clause under the "not an issue" section for > anything related to FFI.
I agree, most of the issues with regard to FFI would not qualify as security issues, and we may as well state that explicitly. -- Stas Malyshev smalyshev@gmail.com
  107732
October 30, 2019 11:41 cmbecker69@gmx.de ("Christoph M. Becker")
On 14.10.2019 at 09:44, Joe Watkins wrote:

> Recently we voted on classification criteria for security bugs [1], we > include under "not an issue" any issue that "requires invocation of > specific code, which may be valid but is obviously malicious". > > I would like to add an explicit clause under the "not an issue" section for > anything related to FFI. > > It hardly seems worth it to run an RFC, although I'll be happy too if there > is a single dissenting voice. > > If there are no objections, I'll modify the document 7 days from today > (Monday 21st October). > > Cheers > Joe > > [1] https://wiki.php.net/security
What is the status here? It seems the security classification document has not yet been updated. Cheers, Christoph
  107760
November 4, 2019 08:33 krakjoe@gmail.com (Joe Watkins)
Morning internals,

Sorry about the delay, this has now been updated.

> There was an unexpected problem communicating with SMTP: Unexpected return code - Expected: 250, Got: 451 | 451 4.3.0 Error: queue file write
error Because infrastructure ... Cheers Joe On Wed, 30 Oct 2019 at 12:41, Christoph M. Becker <cmbecker69@gmx.de> wrote:
> On 14.10.2019 at 09:44, Joe Watkins wrote: > > > Recently we voted on classification criteria for security bugs [1], we > > include under "not an issue" any issue that "requires invocation of > > specific code, which may be valid but is obviously malicious". > > > > I would like to add an explicit clause under the "not an issue" section > for > > anything related to FFI. > > > > It hardly seems worth it to run an RFC, although I'll be happy too if > there > > is a single dissenting voice. > > > > If there are no objections, I'll modify the document 7 days from today > > (Monday 21st October). > > > > Cheers > > Joe > > > > [1] https://wiki.php.net/security > > What is the status here? It seems the security classification document > has not yet been updated. > > Cheers, > Christoph >