On Fri, Apr 22, 2011 at 10:08 AM, Hannes Magnusson < hannes.magnus...@gmail.com> wrote:
> On Fri, Apr 22, 2011 at 09:40, Ferenc Kovacs <tyr...@gmail.com> wrote: > > Hi. > > there was a bug yesterday: > > http://bugs.php.net/bug.php?id=54584 > > which made me to realize that we don't have any documentation about > security > > issues like XSS, CSRS, and stuff (the general OWASP Top Ten). > > I think that we should extend the current security documentation > > at http://php.net/manual/en/security.php and we should link this section > in > > the other part of the docs where it is relevant. > > For example the reserved variables section should link the security > > implications of the the user submitted data. > > Another thing that I would like to discuss: what should be the scope of > the > > security docs? > > My personal opinion is that we should have a complete documentation about > > the general web related and the php specific security issues and there > > mitigations. > > So it should contain everything from best practices for > filtering/stripping > > html from user input, properly handling uploads, throught security > related > > configuration options, securing the web server itself(or at least linking > > the relevant documentation from the vendors) like how to set up a an > > mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail, > > etc. > > I would happily contribute to such documentation, but first of all, I > would > > like to know what do you think about it. > > Personally I would love the idea to have that kind of documentation in > the > > php manual, because it would have the greatest audience, if that isn't > > viable, I would like to have a section in wiki.php.net, and link that > from > > the docs. > > > I totally agree with you. > There was at some point discussion about merging the > http://phpsec.org/ doc into the manual, but I think that went nowhere > as those peeps didn't want to play ball. > The security section in our manual definitely needs improvements, and > should be linked from everything from sql execution functions to > superglobal docs. > > -Hannes > What do you think about if we start a wiki page for brainstorming, gathering the info about the topics need covering, maybe creating a Table of Contents, then we can start moving that to the docs? Tyrael