PHP :: Sec Bug #81655 :: TrojanSource vulnerability

Sec Bug #81655	TrojanSource vulnerability
Submitted:	2021-11-24 14:30 UTC	Modified:	2021-12-02 08:03 UTC
From:	seld@php.net	Assigned:
Status:	Not a bug	Package:	*Compile Issues
PHP Version:	8.0.13	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2021-11-24 14:30 UTC] seld@php.net

Description:
------------
The PHP compiler appears to be vulnerable to the Trojan Source vulnerabilities 

https://trojansource.codes/

See https://github.com/nickboucher/trojan-source/pull/18 for repro cases for PHP. Depending on the editor you use these are rendered more or less confusingly.

See also the rust CVE report https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

Expected result:
----------------
The security report suggests this solution: Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.

The homoglyph attack is fairly theoretical and less dangerous IMO although it could still cause issues, but preventing the bidirectional characters sounds like it'd be worth it at least.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-11-24 16:30 UTC] pollita@php.net

PHP's interpreter is only explicitly ASCII aware and only allows other encodings which are ASCII transparent (such as UTF-8).

Beyond that, PHP should not make any assumptions about what kind of characters belong in comments and literals. This is application specific data.

[2021-12-01 13:20 UTC] cmb@php.net

So, not a security issue or WONTFIX?

[2021-12-01 13:26 UTC] seld@php.net

I discussed with Sara already but will repeat it here for the record: 

It is not a huge issue, but fixing the bidi chars would be nice. IMO pretending like 99% of code isn't written in UTF-8 these days is kinda playing ostrich, regardless of how technically correct the "interpreter is only ASCII aware" statement is.

Up to you all though, I don't have a patch so I'll accept the outcome :)

[2021-12-02 08:03 UTC] stas@php.net

-Status: Open +Status: Not a bug

[2021-12-02 08:03 UTC] stas@php.net

I don't think this is a PHP bug. It's not PHP runtime's place to distinguish "bad" code from "good" code - any code that passes syntax analyzer should run. If some tools that display the code for the benefit of humans reviewing untrusted code make "bad" code look like "good" code - this is the problem external to PHP and should not be solved in PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 05:01:29 2024 UTC