php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81655 TrojanSource vulnerability
Submitted: 2021-11-24 14:30 UTC Modified: 2021-12-02 08:03 UTC
From: seld@php.net Assigned:
Status: Not a bug Package: *Compile Issues
PHP Version: 8.0.13 OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: seld@php.net
New email:
PHP Version: OS:

 

 [2021-11-24 14:30 UTC] seld@php.net
Description:
------------
The PHP compiler appears to be vulnerable to the Trojan Source vulnerabilities 

https://trojansource.codes/

See https://github.com/nickboucher/trojan-source/pull/18 for repro cases for PHP. Depending on the editor you use these are rendered more or less confusingly.

See also the rust CVE report https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

Expected result:
----------------
The security report suggests this solution: Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.

The homoglyph attack is fairly theoretical and less dangerous IMO although it could still cause issues, but preventing the bidirectional characters sounds like it'd be worth it at least.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-24 16:30 UTC] pollita@php.net
PHP's interpreter is only explicitly ASCII aware and only allows other encodings which are ASCII transparent (such as UTF-8).

Beyond that, PHP should not make any assumptions about what kind of characters belong in comments and literals. This is application specific data.
 [2021-12-01 13:20 UTC] cmb@php.net
So, not a security issue or WONTFIX?
 [2021-12-01 13:26 UTC] seld@php.net
I discussed with Sara already but will repeat it here for the record: 

It is not a huge issue, but fixing the bidi chars would be nice. IMO pretending like 99% of code isn't written in UTF-8 these days is kinda playing ostrich, regardless of how technically correct the "interpreter is only ASCII aware" statement is.

Up to you all though, I don't have a patch so I'll accept the outcome :)
 [2021-12-02 08:03 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2021-12-02 08:03 UTC] stas@php.net
I don't think this is a PHP bug. It's not PHP runtime's place to distinguish "bad" code from "good" code - any code that passes syntax analyzer should run. If some tools that display the code for the benefit of humans reviewing untrusted code make "bad" code look like "good" code - this is the problem external to PHP and should not be solved in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 17:01:58 2024 UTC