Hi On 25/09/2023 17:33, Tim Düsterhus wrote: > Hi > > On 9/25/23 10:49, Derick Rethans wrote: >> So, if you can suggest an area where doing an external review would have >> high impact, please reply to this email. > > Some things from top of my head in arbitrary order. Not all of them are > necessarily important themselves per se, but rather intended to spark > additional thoughts. > > - Footguns in the default configuration / tunables / php.ini [1]
This reminds me of something. There's an interesting paper about ReDoS resilience in different regex engines. Some programming languages, including PHP, are evaluated there and compared: https://www.usenix.org/system/files/sec22-turonova.pdf PHP has some configuration knobs for pcre (https://www.php.net/manual/en/pcre.configuration.php), not a lot to tune but maybe they can be? To be honest, I haven't looked much into this. > - MySQL Native Driver > - password_* [1] > - hash_equals() > - ext/json, specifically json_decode() > - The CSPRNG (ext/random/csprng.c) > - bin2hex, base64_encode [2] > - Open-ended: Misuse resistance of existing functions - Is it possible for a > user to not properly check a return value and would this result in harm (i.e. > should the function throw, but does not yet)? > > Best regards > Tim Düsterhus > > [1] These tie a little into my https://wiki.php.net/rfc/bcrypt_cost_2023 RFC, > which is not code but configuration. > [2] Should these be made constant-time / should constant-time implementations > always be available? See: https://github.com/paragonie/constant_time_encoding > Cheers Niels -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
