On Fri, Apr 22, 2011 at 10:52, Ferenc Kovacs <tyr...@gmail.com> wrote:
>
>
> On Fri, Apr 22, 2011 at 10:08 AM, Hannes Magnusson
> <hannes.magnus...@gmail.com> wrote:
>>
>> On Fri, Apr 22, 2011 at 09:40, Ferenc Kovacs <tyr...@gmail.com> wrote:
>> > Hi.
>> > there was a bug yesterday:
>> > http://bugs.php.net/bug.php?id=54584
>> > which made me to realize that we don't have any documentation about
>> > security
>> > issues like XSS, CSRS, and stuff (the general OWASP Top Ten).
>> > I think that we should extend the current security documentation
>> > at http://php.net/manual/en/security.php and we should link this section
>> > in
>> > the other part of the docs where it is relevant.
>> > For example the reserved variables section should link the security
>> > implications of the the user submitted data.
>> > Another thing that I would like to discuss: what should be the scope of
>> > the
>> > security docs?
>> > My personal opinion is that we should have a complete documentation
>> > about
>> > the general web related and the php specific security issues and there
>> > mitigations.
>> > So it should contain everything from best practices for
>> > filtering/stripping
>> > html from user input, properly handling uploads, throught security
>> > related
>> > configuration options, securing the web server itself(or at least
>> > linking
>> > the relevant documentation from the vendors) like how to set up a an
>> > mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail,
>> > etc.
>> > I would happily contribute to such documentation, but first of all, I
>> > would
>> > like to know what do you think about it.
>> > Personally I would love the idea to have that kind of documentation in
>> > the
>> > php manual, because it would have the greatest audience, if that isn't
>> > viable, I would like to have a section in wiki.php.net, and link that
>> > from
>> > the docs.
>>
>>
>> I totally agree with you.
>> There was at some point discussion about merging the
>> http://phpsec.org/ doc into the manual, but I think that went nowhere
>> as those peeps didn't want to play ball.
>> The security section in our manual definitely needs improvements, and
>> should be linked from everything from sql execution functions to
>> superglobal docs.
>>
>> -Hannes
>
> What do you think about if we start a wiki page for brainstorming, gathering
> the info about the topics need covering, maybe creating a Table of Contents,
> then we can start moving that to the docs?

It will never be moved into the docs if it starts in the wiki.

I recommend you just go ahead and scratch the itch you have for some
of the topics and see what happens.

-Hannes

Reply via email to