On Fri, Apr 22, 2011 at 10:08 AM, Hannes Magnusson <
hannes.magnus...@gmail.com> wrote:

> On Fri, Apr 22, 2011 at 09:40, Ferenc Kovacs <tyr...@gmail.com> wrote:
> > Hi.
> > there was a bug yesterday:
> > http://bugs.php.net/bug.php?id=54584
> > which made me to realize that we don't have any documentation about
> security
> > issues like XSS, CSRS, and stuff (the general OWASP Top Ten).
> > I think that we should extend the current security documentation
> > at http://php.net/manual/en/security.php and we should link this section
> in
> > the other part of the docs where it is relevant.
> > For example the reserved variables section should link the security
> > implications of the the user submitted data.
> > Another thing that I would like to discuss: what should be the scope of
> the
> > security docs?
> > My personal opinion is that we should have a complete documentation about
> > the general web related and the php specific security issues and there
> > mitigations.
> > So it should contain everything from best practices for
> filtering/stripping
> > html from user input, properly handling uploads, throught security
> related
> > configuration options, securing the web server itself(or at least linking
> > the relevant documentation from the vendors) like how to set up a an
> > mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail,
> > etc.
> > I would happily contribute to such documentation, but first of all, I
> would
> > like to know what do you think about it.
> > Personally I would love the idea to have that kind of documentation in
> the
> > php manual, because it would have the greatest audience, if that isn't
> > viable, I would like to have a section in wiki.php.net, and link that
> from
> > the docs.
>
>
> I totally agree with you.
> There was at some point discussion about merging the
> http://phpsec.org/ doc into the manual, but I think that went nowhere
> as those peeps didn't want to play ball.
> The security section in our manual definitely needs improvements, and
> should be linked from everything from sql execution functions to
> superglobal docs.
>
> -Hannes
>

What do you think about if we start a wiki page for brainstorming, gathering
the info about the topics need covering, maybe creating a Table of Contents,
then we can start moving that to the docs?

Tyrael

Reply via email to