CINXE.COM

PHP: security

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>PHP: security</title> <meta name="generator" content="DokuWiki"/> <meta name="robots" content="noindex,nofollow"/> <meta name="keywords" content="security"/> <link rel="search" type="application/opensearchdescription+xml" href="/lib/exe/opensearch.php" title="PHP Wiki"/> <link rel="start" href="/"/> <link rel="contents" href="/security?do=index" title="Sitemap"/> <link rel="manifest" href="/lib/exe/manifest.php"/> <link rel="alternate" type="application/rss+xml" title="Recent Changes" href="/feed.php"/> <link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns="/> <link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/security"/> <link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/security"/> <link rel="canonical" href="https://wiki.php.net/security"/> <link rel="stylesheet" href="/lib/exe/css.php?t=phpnet&amp;tseed=7bd2b78bb5550d8ceb3c825c96dd22d0"/> <!--[if gte IE 9]><!--> <script >/*<![CDATA[*/var NS='';var JSINFO = {"id":"security","namespace":"","ACT":"show","useHeadingNavigation":0,"useHeadingContent":0}; /*!]]>*/</script> <script src="/lib/exe/jquery.php?tseed=f0349b609f9b91a485af8fd8ecd4aea4" defer="defer">/*<![CDATA[*/ /*!]]>*/</script> <script src="/lib/exe/js.php?t=phpnet&amp;tseed=7bd2b78bb5550d8ceb3c825c96dd22d0" defer="defer">/*<![CDATA[*/ /*!]]>*/</script> <!--<![endif]--> <link media='all' rel='stylesheet' href='//shared.php.net/styles/defaults.css?filemtime=1732659606'/> <link media='all' rel='stylesheet' href='//shared.php.net/styles/wiki.css?filemtime=1707322306'/> <link href="//fonts.googleapis.com/css?family=Fira+Sans|Source+Sans+Pro:300,400,600,400italic,600italic|Source+Code+Pro&amp;subset=latin,latin-ext" rel="stylesheet"> <link rel="shortcut icon" href="//php.net/favicon.ico"> <!--[if lt IE 9]> <script src="//shared.php.net/js/html5shiv.js"></script> <![endif]--> </head> <body id=""> <div class="wrap"> <header class='clearfix'> <div id="mainmenu-toggle-overlay"></div> <input type="checkbox" id="mainmenu-toggle"> <nav class="fullscreen"> <div class="mainscreen"> <a href="/" class="home"><img src="//php.net/images/logo.php?" width="48" height="24" alt="php"><span class="subdomain"></span></a> <ul> <li class=""><a href="?do=login">Login</a></li> <li class=""><a href="?do=register">Register</a></li> </ul> </div> <div class="secondscreen"> <form method="get" action="/start"> <input type="search" placeholder="Search" name="id" class="search"> <input type="hidden" name="do" value="search"> </form> </div> </nav> </header> <div id="flash-message"></div> <nav id="megadropdown"></nav> <section class="fullscreen clearfix"> <section id="breadcrumbs"> <nav> <span class="bchead">You are here: </span><span class="home"><bdi><a href="/start" class="wikilink1" title="start" data-wiki-id="start">start</a></bdi></span> › <bdi><a href="/security" class="wikilink1" title="security" data-wiki-id="security">security</a></bdi></nav> </section> <section class="mainscreen"> <!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]--> <div id="dokuwiki__site"><div id="dokuwiki__top" class="site dokuwiki mode_show tpl_phpnet "> <div class="wrapper group"> <!-- ********** CONTENT ********** --> <div id="dokuwiki__content"><div class="pad group"> <div class="pageId"><span>security</span></div> <div class="page group"> <!-- wikipage start --> <h1 class="sectionedit1" id="meta">Meta</h1> <div class="level1"> <ul> <li class="level1"><div class="li"> Authors: Release Managers</div> </li> <li class="level1"><div class="li"> Date: November 2016</div> </li> <li class="level1"><div class="li"> Version: 1.0.1</div> </li> <li class="level1"><div class="li"> <abbr title="Request for Comments">RFC</abbr>: <a href="/rfc/security-classification" class="wikilink1" title="rfc:security-classification" data-wiki-id="rfc:security-classification">Security Issue Classification</a></div> </li> </ul> <blockquote class="blockquote-plugin"> <p> <strong>The canonical version of this document now lives at <a href="https://github.com/php/policies/blob/main/security-classification.rst" class="urlextern" title="https://github.com/php/policies/blob/main/security-classification.rst" rel="ugc nofollow">https://github.com/php/policies/blob/main/security-classification.rst</a></strong> </p> </blockquote> </div> <h1 class="sectionedit2" id="introduction">Introduction</h1> <div class="level1"> <p> For the sake of our users, we classify some of the issues found in PHP as “security issues”. This document is intended to explain which issues are thus classified, how we handle those issues and how to report them. </p> </div> <h1 class="sectionedit3" id="classification">Classification</h1> <div class="level1"> <p> We classify as security issues bugs that: </p> <ul> <li class="level1"><div class="li"> allow users to execute unauthorized actions</div> </li> <li class="level1"><div class="li"> cross security boundaries</div> </li> <li class="level1"><div class="li"> access data that is not intended to be accessible</div> </li> <li class="level1"><div class="li"> severely impact accessibility or performance of the system </div> </li> </ul> <p> The purpose of this classification is to alert the users and the developers about the bugs that need to be prioritized in their handling. </p> <p> We define three categories of security issues, by their severity, described below. Please note that this categorization is in many aspects subjective, so it ultimately relies on the judgement of the PHP developers. </p> </div> <h2 class="sectionedit4" id="high_severity">High severity</h2> <div class="level2"> <p> These issues may allow: </p> <ul> <li class="level1"><div class="li"> third party to compromise any, or most installations of PHP</div> </li> <li class="level1"><div class="li"> the execution of arbitrary code</div> </li> <li class="level1"><div class="li"> disabling the system completely</div> </li> <li class="level1"><div class="li"> access to any file a local PHP user can access. </div> </li> </ul> <p> The issue can be triggered on any, or on most typical installations, and does not require exotic and non-recommended settings to be triggered. </p> <p> This category also includes issues that can be triggered in code or functions known to be frequently used (session, json, mysql, openssl, etc.) during typical usage, and that require settings or configurations that may not be strictly the best practice, but are commonly used. </p> <p> This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. </p> <p> This kind of issues usually requires a CVE report. </p> </div> <h2 class="sectionedit5" id="medium_severity">Medium severity</h2> <div class="level2"> <p> These issues may have the same potential to compromise an installation as a high severity issue, but may also require: </p> <ul> <li class="level1"><div class="li"> an extension that is not commonly used</div> </li> <li class="level1"><div class="li"> a particular type of configuration that is used only in narrow specific circumstances</div> </li> <li class="level1"><div class="li"> relies on old version of a third-party library being used</div> </li> <li class="level1"><div class="li"> code, or patterns of code, that are known to be used infrequently</div> </li> <li class="level1"><div class="li"> code that is very old, or extremely uncommon (and so is used infrequently)</div> </li> </ul> <p> This kind of issues usually will have a CVE number, unless the required configuration is particularly exotic to the point it&#039;s not practically usable. </p> </div> <h2 class="sectionedit6" id="low_severity">Low severity</h2> <div class="level2"> <p> This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present or imposed. </p> <p> This also includes problems with configuration, documentation, and other non-code parts of the PHP project that may mislead users, or cause them to make their system, or their code less secure. </p> <p> Issues that can trigger unauthorized actions that do not seem to be useful for any practical attack can also be categorized as low severity. </p> <p> Security issues, that are present only in unstable branches, belong to this category, too. Any branch that has no stable release, is per se not intended for the production use. </p> <p> Low severity issues usually do not need to have CVE and may, at the discretion of the PHP developers, be disclosed publicly before the fix is released or available. </p> </div> <h2 class="sectionedit7" id="not_a_security_issue">Not a security issue</h2> <div class="level2"> <p> We do not classify as a security issue any issue that: </p> <ul> <li class="level1"><div class="li"> requires invocation of specific code, which may be valid but is obviously malicious</div> </li> <li class="level1"><div class="li"> requires invocation of functions with specific arguments, which may be valid but are obviously malicious</div> </li> <li class="level1"><div class="li"> requires specific actions to be performed on the server, which are not commonly performed, or are not commonly permissible for the user (uid) executing PHP</div> </li> <li class="level1"><div class="li"> requires privileges superior to that of the user (uid) executing PHP</div> </li> <li class="level1"><div class="li"> requires the use of debugging facilities - ex. xdebug, var_dump</div> </li> <li class="level1"><div class="li"> requires the use of settings not recommended for production - ex. error reporting to output</div> </li> <li class="level1"><div class="li"> requires the use of non-standard environment variables - ex. USE_ZEND_ALLOC</div> </li> <li class="level1"><div class="li"> requires the use of non-standard builds - ex. obscure embedded platform, not commonly used compiler</div> </li> <li class="level1"><div class="li"> requires the use of code or settings known to be insecure</div> </li> <li class="level1"><div class="li"> requires the use of FFI</div> </li> <li class="level1"><div class="li"> requires an open_basedir bypass</div> </li> </ul> </div> <h1 class="sectionedit8" id="handling_issues">Handling issues</h1> <div class="level1"> <p> High and medium severity fixes are merged into a security repository and merged before the release is tagged. </p> <p> Low severity fixes are merged immediately after the fix is available and handled like all regular bugs are handled consequently. However, release managers may choose to pull those fixes into the RC branch after the branch is created, and also backport them into security-only release branch. </p> </div> <h1 class="sectionedit9" id="faq">FAQ</h1> <div class="level1"> <p> Q. How do I report a security issue?<br/> A. Please report it on <a href="http://bugs.php.net" class="urlextern" title="http://bugs.php.net" rel="ugc nofollow">http://bugs.php.net</a>, choosing type “Security”. This will automatically make it private. If for some reason you can not do that, or need to talk to somebody about a PHP security issue that is not exactly a bug report, please write to security@php.net. You can also submit a security report on Github: <a href="https://github.com/php/php-src/security/advisories/new" class="urlextern" title="https://github.com/php/php-src/security/advisories/new" rel="ugc nofollow">https://github.com/php/php-src/security/advisories/new</a> </p> <p> Q. What do you consider a responsible disclosure?<br/> A. Please report the issue as described above. Please communicate with the developers about when the fix will be released - usually it&#039;s the next monthly release after the bug was reported. Some issues can take longer. After the fix is released (releases usually happen on Thursday) please feel free to disclose the issue as you see fit. </p> <p> Q. What if I think it&#039;s a security issue but developers disagree?<br/> A. Please read the above and try to explain to us why it fits the description. </p> <p> Q. What if developers still don&#039;t think it&#039;s a security issue?<br/> A. We&#039;ll have to agree to disagree. </p> <p> Q. The bug I submitted was classified as “not a security issue”, you don&#039;t believe it&#039;s real?<br/> A. It has nothing to do with the bug being real or its importance to you. It just means it does not fit our specific definitions for issues that we will handle in a special way. We fix a lot of non-security bugs and pull requests are always welcome. </p> <p> Q. But you classified bug #424242 as security issue, but not this one?!<br/> A. Each bug usually has its aspects, if a short discussion does not yield agreement we&#039;d rather do more fixing and less arguing. </p> <p> Q. Do you pay bounties for security issues?<br/> A. PHP is a volunteer project. We have no money, thus we can&#039;t pay them. </p> </div> <!-- wikipage stop --> </div> <div class="docInfo"><bdi>security.txt</bdi> · Last modified: 2025/04/03 13:08 by <bdi>127.0.0.1</bdi></div> </div></div><!-- /content --> <hr class="a11y" /> <!-- PAGE ACTIONS --> <div id="dokuwiki__pagetools"> <h3 class="a11y">Page Tools</h3> <div class="tools"> <ul> <li><a href="/security?do=edit" class="action source" accesskey="v" rel="nofollow" title="Show pagesource [V]"><span>Show pagesource</span></a></li><li><a href="/security?do=revisions" class="action revs" accesskey="o" rel="nofollow" title="Old revisions [O]"><span>Old revisions</span></a></li><li><a href="/security?do=backlink" class="action backlink" rel="nofollow" title="Backlinks"><span>Backlinks</span></a></li><li><a href="#dokuwiki__top" class="action top" accesskey="t" rel="nofollow" title="Back to top [T]"><span>Back to top</span></a></li> </ul> </div> </div> </div><!-- /wrapper --> </div></div><!-- /site --> <div class="no"><img src="/lib/exe/taskrunner.php?id=security&amp;1743859693" width="2" height="1" alt="" /></div> <div id="screen__mode" class="no"></div> <!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]--> </section> <section class="secondscreen"> <!-- TOC START --> <div id="dw__toc" class="dw__toc"> <h3 class="toggle">Table of Contents</h3> <div> <ul class="toc"> <li class="level1"><div class="li"><a href="#meta">Meta</a></div></li> <li class="level1"><div class="li"><a href="#introduction">Introduction</a></div></li> <li class="level1"><div class="li"><a href="#classification">Classification</a></div> <ul class="toc"> <li class="level2"><div class="li"><a href="#high_severity">High severity</a></div></li> <li class="level2"><div class="li"><a href="#medium_severity">Medium severity</a></div></li> <li class="level2"><div class="li"><a href="#low_severity">Low severity</a></div></li> <li class="level2"><div class="li"><a href="#not_a_security_issue">Not a security issue</a></div></li> </ul> </li> <li class="level1"><div class="li"><a href="#handling_issues">Handling issues</a></div></li> <li class="level1"><div class="li"><a href="#faq">FAQ</a></div></li> </ul> </div> </div> <!-- TOC END --> </section> </section><!-- .fullscreen --> <footer> <nav class="fullscreen"> <ul> <li><a href="//php.net/copyright">Copyright © 2001-2025 The PHP Group</a></li> <li><a href="//php.net/sites">Other PHP.net sites</a></li> <li><a href="//php.net/privacy">Privacy policy</a></li> </ul> </nav> </footer> </div><!-- .wrap --> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10