On Fri, Apr 22, 2011 at 09:40, Ferenc Kovacs <tyr...@gmail.com> wrote: > Hi. > there was a bug yesterday: > http://bugs.php.net/bug.php?id=54584 > which made me to realize that we don't have any documentation about security > issues like XSS, CSRS, and stuff (the general OWASP Top Ten). > I think that we should extend the current security documentation > at http://php.net/manual/en/security.php and we should link this section in > the other part of the docs where it is relevant. > For example the reserved variables section should link the security > implications of the the user submitted data. > Another thing that I would like to discuss: what should be the scope of the > security docs? > My personal opinion is that we should have a complete documentation about > the general web related and the php specific security issues and there > mitigations. > So it should contain everything from best practices for filtering/stripping > html from user input, properly handling uploads, throught security related > configuration options, securing the web server itself(or at least linking > the relevant documentation from the vendors) like how to set up a an > mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail, > etc. > I would happily contribute to such documentation, but first of all, I would > like to know what do you think about it. > Personally I would love the idea to have that kind of documentation in the > php manual, because it would have the greatest audience, if that isn't > viable, I would like to have a section in wiki.php.net, and link that from > the docs.
I totally agree with you. There was at some point discussion about merging the http://phpsec.org/ doc into the manual, but I think that went nowhere as those peeps didn't want to play ball. The security section in our manual definitely needs improvements, and should be linked from everything from sql execution functions to superglobal docs. -Hannes
