php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #81655 TrojanSource vulnerability
Submitted: 2021-11-24 14:30 UTC Modified: 2021-12-02 08:03 UTC
From: seld@php.net Assigned:
Status: Not a bug Package: *Compile Issues
PHP Version: 8.0.13 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: seld@php.net
New email:
PHP Version: OS:

 

 [2021-11-24 14:30 UTC] seld@php.net 
Description:
------------
The PHP compiler appears to be vulnerable to the Trojan Source vulnerabilities 

https://trojansource.codes/

See https://github.com/nickboucher/trojan-source/pull/18 for repro cases for PHP. Depending on the editor you use these are rendered more or less confusingly.

See also the rust CVE report https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

Expected result:
----------------
The security report suggests this solution: Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.

The homoglyph attack is fairly theoretical and less dangerous IMO although it could still cause issues, but preventing the bidirectional characters sounds like it'd be worth it at least.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-24 16:30 UTC] pollita@php.net 
PHP's interpreter is only explicitly ASCII aware and only allows other encodings which are ASCII transparent (such as UTF-8).

Beyond that, PHP should not make any assumptions about what kind of characters belong in comments and literals. This is application specific data.
 [2021-12-01 13:20 UTC] cmb@php.net 
So, not a security issue or WONTFIX?
 [2021-12-01 13:26 UTC] seld@php.net 
I discussed with Sara already but will repeat it here for the record: 

It is not a huge issue, but fixing the bidi chars would be nice. IMO pretending like 99% of code isn't written in UTF-8 these days is kinda playing ostrich, regardless of how technically correct the "interpreter is only ASCII aware" statement is.

Up to you all though, I don't have a patch so I'll accept the outcome :)
 [2021-12-02 08:03 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2021-12-02 08:03 UTC] stas@php.net 
I don't think this is a PHP bug. It's not PHP runtime's place to distinguish "bad" code from "good" code - any code that passes syntax analyzer should run. If some tools that display the code for the benefit of humans reviewing untrusted code make "bad" code look like "good" code - this is the problem external to PHP and should not be solved in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 19:01:29 2024 UTC