Since we are now starting to see news reports about the latest release of PHP, and since these reports seem to be spinning this release as a knock against PHP, I thought I’d offer some context. My understanding is that the biggest security problem this release fixes is an infinite loop/buffer overflow problem with getimagesize, wherein a specially crafted user-defined image passed to the getimagesize function could create a DoS or arbitrary code execution problem.
It seems this security problem has been labeled “High Risk” because the potential for damage is very high. However, it must be pointed out that the other factor to consider with security is the probability of exploit, which in this case is relatively low. Only sites that accept user-defined images are candidates to be affected by this security problem. Systems accepting image uploads from trusted content managers as well as sites that screen uploaded images before passing them to getimagesize for layout and display are unlikely to be affected by this problem.
It seems that most security releases these days focus on the potential for damage as the sole and deciding factor to determine the seriousness of the problem. In reality, security is a matter of likelihood as much as it is a matter of impact, since the only system that can be declared completely secure is the one that is powered down and disconnected.
One Comment
The editors of phpdeveloper.org have said:
I’d have to agree with Robert here – things are getting a little too out of control on security responses. Though, when it all comes down to it, I’d much rather everyone out there really jump on an issue like this rather than see it, disregard it with an “it’ll never happen to me”, and then suffer the consequences. That said, I think drama like this does seem a bit excessive…
My perspective is that security releases should provide a clear, unbiased picture of what’s going on. If we resort to drama to motivate people, we are going to have to start getting more and more dramatic as people gradually tune out the “high risk” issues that they later discover have no bearing on their systems. Worse, people become paranoid with insufficient information and start blaming the product, mistrusting it, pointing fingers. A little context could prevent this.