On Fri, Apr 22, 2011 at 10:52, Ferenc Kovacs <tyr...@gmail.com> wrote: > > > On Fri, Apr 22, 2011 at 10:08 AM, Hannes Magnusson > <hannes.magnus...@gmail.com> wrote: >> >> On Fri, Apr 22, 2011 at 09:40, Ferenc Kovacs <tyr...@gmail.com> wrote: >> > Hi. >> > there was a bug yesterday: >> > http://bugs.php.net/bug.php?id=54584 >> > which made me to realize that we don't have any documentation about >> > security >> > issues like XSS, CSRS, and stuff (the general OWASP Top Ten). >> > I think that we should extend the current security documentation >> > at http://php.net/manual/en/security.php and we should link this section >> > in >> > the other part of the docs where it is relevant. >> > For example the reserved variables section should link the security >> > implications of the the user submitted data. >> > Another thing that I would like to discuss: what should be the scope of >> > the >> > security docs? >> > My personal opinion is that we should have a complete documentation >> > about >> > the general web related and the php specific security issues and there >> > mitigations. >> > So it should contain everything from best practices for >> > filtering/stripping >> > html from user input, properly handling uploads, throught security >> > related >> > configuration options, securing the web server itself(or at least >> > linking >> > the relevant documentation from the vendors) like how to set up a an >> > mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail, >> > etc. >> > I would happily contribute to such documentation, but first of all, I >> > would >> > like to know what do you think about it. >> > Personally I would love the idea to have that kind of documentation in >> > the >> > php manual, because it would have the greatest audience, if that isn't >> > viable, I would like to have a section in wiki.php.net, and link that >> > from >> > the docs. >> >> >> I totally agree with you. >> There was at some point discussion about merging the >> http://phpsec.org/ doc into the manual, but I think that went nowhere >> as those peeps didn't want to play ball. >> The security section in our manual definitely needs improvements, and >> should be linked from everything from sql execution functions to >> superglobal docs. >> >> -Hannes > > What do you think about if we start a wiki page for brainstorming, gathering > the info about the topics need covering, maybe creating a Table of Contents, > then we can start moving that to the docs?
It will never be moved into the docs if it starts in the wiki. I recommend you just go ahead and scratch the itch you have for some of the topics and see what happens. -Hannes