[php-maint] PHP security policy review
Moritz Muehlenhoff
jmm at inutil.org
Wed Jun 30 17:21:23 UTC 2010
On Tue, Jun 29, 2010 at 08:37:40PM -0500, Raphael Geissert wrote:
> Hi everyone,
>
> While reviewing the security policy for PHP I noticed a few gaps which I think
> are important to address.
>
> At the moment I'd like to propose the following changes, so please comment and
> feel free to propose others:
>
> > --- a/debian/README.Debian.security
> > +++ b/debian/README.Debian.security
> > @@ -1,10 +1,13 @@
> >
> > the Debian stable security team does not provide security support
> > -for certain configurations known to be inherently insecure. Most
> > -specifically, the security team will not provide support for flaws in:
> > +for certain configurations known to be inherently insecure. This
> > +includes the interpreter itself, extensions, and code written in the
> > +PHP language. Most specifically, the security team will not provide
> > +support for flaws in:
>
> To clarify that the policy applies to the interpreter and apps, which is how
> it has been treated so far.
>
> > - problems which are not flaws in the design of php but can be problematic
> > - when used by sloppy developers (for example, not checking the contents
> > - of a tar file before extracting it).
> > + when used by sloppy developers (for example: not checking the contents
> > + of a tar file before extracting it, using unserialize() on
> > + untrusted data, or relying on a specific value of short_open_tag).
>
> To include unserialize() and ini settings such as short_open_tag.
>
> If there are no objections, I'm going to include that change in the next
> upload and make it the policy for Squeeze. Unless there's a reason to
> reconsider the policy applying lenny, it won't be updated to squeeze's.
Looks good to me.
Cheers,
Moritz
More information about the pkg-php-maint
mailing list