On 20.06.2019 at 17:54, Nikita Popov wrote: > On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev <smalys...@gmail.com> > wrote: > >> Hi! >> >> Looking at the recent PHP security issues, it is clear that many of them >> are stemming from corner cases in various format-parsing code, and most >> of them either is or can be found by fuzzers. >> >> Thus, I've made an initial integration for PHP on OSS-fuzz project - a >> fuzzing engine for testing open source projects. PHP configuration sits >> here: >> https://github.com/google/oss-fuzz/tree/master/projects/php >> and implementation of fuzzers is here: >> https://github.com/php/php-fuzzing-sapi >> >> So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan >> also to add basic phar fuzzer soon. Everybody is welcome to add more >> fuzzers - with priority on ones that actually deal with third-party >> data, e.g. language parser fuzzer is not enabled right now, because >> people usually do not run random byte streams as PHP scripts on their >> servers. On the other hand, people do apply EXIF or gd functions to >> third-party data, so a vulnerability in that code would be high priority. >> >> That said, fuzzers can be run independently of OSS-Fuzz, so if you feel >> inspired to add a fuzzer for any code please do so. > > Where are issues detected by oss-fuzz reported?
Everyone who is listed under primary_contact or auto_ccs[1] should be able to see the reports on <https://oss-fuzz.com/> and gets e-mails for first time issues (works for me for libgd). [1] <https://github.com/google/oss-fuzz/blob/master/projects/php/project.yaml> Thanks, Christoph -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
