What is Involved in a code review of phpBB??

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

I'm moderately competent at PHP, ASP.NET (in particular C#), and J2EE. The last is mainly due to my job (years of ferreting through financial apps), for which reason I also know VBscript (for old ASP apps) and VB.NET. I don't program in J2EE, ASP or VB.NET.

In the distant past, I've programmed in Pascal (uni and Mac days), and more recently C, C++, DEC Alpha and x86 assembler when I was in my Linux / XFree86 and pnm2ppa phase. I tried vectorizing pnm2ppa, but at the time MMX wasn't as great a win as I thought it'd be and the loss of precision had a very bad image quality impact. SSE3 processors probably would change that, but I don't have that printer any more.

I mainly program in PHP these days, but I prefer .NET if I'm writing tools for just little ol' me.

Andrew
programmermatt
Registered User
Posts: 9
Joined: Sat Dec 18, 2004 4:27 pm
Location: FunLand
Contact:

Re: What is Involved in a code review of phpBB??

Post by programmermatt »

vanderaj wrote: What sort of code review? If you mean security code review, the metrics I use are 100 to 1000 lines = 1 day of work, depending on the depth you want to go to. It seems to just work out that way.
There are 87,527 lines of code in sql, js and php files (by my count) in phpBB2. By your figure, this is 875.3 to 87.5days. I believe that you said you were taking volunteers :)?
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

Yes. :)

I never review Javascript as it's trivial to circumvent. The user controls the Javascript, not the server.

SQL will only be reviewed if there's stored procedures in there. If there's no stored procedures, the major reason for looking at the schema is to ensure that data is as strongly typed as possible (ie dates are really SQL dates, post counts are int's, and booleans are either sets or real booleans, and varchars are kept to a minimum size (ie bare zip codes are 5 digits long, and with 5 characters it is very hard to do a meaningful SQL injection with that field).

Andrew
projectphp
Registered User
Posts: 6
Joined: Thu Apr 08, 2004 7:14 am

Re: What is Involved in a code review of phpBB??

Post by projectphp »

You said at some point, and I tend to agree, that the 2.0.X branch is more pressing, in terms of a security review.

So, I have read a bit now and it sounds interesting. So what do you need? And by that, i mean be specific. Some questions that need answering:
1. How many people?
2. Is a "staffer" an absolute requirement?
3. Who will run the project (I assume you)?
4. How will it be co-ordinated?
5. When will all this start?
6. Do you have a timeline??

In order to garner volunteers, that is the sort of info required, and if you need certain things, qwork out if you can get them sooner rather than later, and go from there.
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

projectphp wrote: You said at some point, and I tend to agree, that the 2.0.X branch is more pressing, in terms of a security review.
Yes, it's more pressing from a real world point of view. 99.9+% of production phpBB installs are not Olympus. But in some ways, if Olympus is really close to being released, then a code review now will help that stay secure and give a good reason for upgrading. That takes some pressure off doing the 2.0.x branch for a little bit.

As a bit of history though, I "fixed" XMB 1.9.1 like this, and the back ports to 1.8 never happened - no one had the time or the inclination to fix it. I started 1.8 SP4 several times. The fixes were so extensive, often it was simply easier to replace entire files with 1.9.1 files and change them to work with 1.8 templates (so new underpinnings, old look and feel).
So, I have read a bit now and it sounds interesting. So what do you need? And by that, i mean be specific. Some questions that need answering:
1. How many people?
As many as I can get. So far, two or three. Certainly, keeping it down to about five or so helps as sometimes, there's too many helpers and coordination becomes n^2 difficult. However, luckily, security reviews are easily parellizable once skill levels come up.

The best way to learn how to do a security code review is to do them, and ask questions. I'll take the volunteers I have so far through about an hours' worth of training in threat modelling and recommend they read a certain chapter of Threats and Countermeasures - a free PDF book by MS.

Then to ensure that we're all on the same page, we'd go through the "low lying fruit" examples as they are easy to learn, easy to exploit, and often yield the highest paybacks. For example, you search for fopen(), system(), getenv() and $_SERVER, and the major variables $_GET and friends. Once you find the places they are used, you apply STRIDE and see if there's a problem. If there is, you write it up. If there isn't a problem, instead I write "Such and such was investigated and found to be safe." If the safety goes beyond a happy circumstance, I write about the controls found. This can really help instill confidence in the coders that they're on track and doing well. Otherwise a security review reads like a Chicken Little report and helps no one as it really puts off even coders with ultra thick skins.
2. Is a "staffer" an absolute requirement?
No, but familiarity with the code and PHP coding will really help. Failing that, a great deal of enthusiasm to learn the innards of a major project - once complete, you may know the code better than some of the devs. Security reviews often crawl around in the darkest spots in many code bases. :)
3. Who will run the project (I assume you)?
I like being collaborative. I'm not fussed. In the open source world, the person who contributes the most is often the "leader" (fwiw) by default.
4. How will it be co-ordinated?
This is an interesting question. For this to be effective, as I'm in Australia (+11 UTC this week, +10 in a couple of weeks due to DST), and I'm fairly certain that most of the volunteers so far are not in Australia, it has to be via a private forum or a private blog or wiki. E-mail could work, but it starts to get hairy once there's more contributors and the attachment sizes creep up (most of my documents end up being about 3-4 MB in size due to screen shots and inclusions). Sticking with a wiki or a forum helps as everyone has a browser.

As each vulnerability can usually be fixed quickly by devs, unlike a normal review I do for clients, I don't want them to wait for the result of the entire review. Using a wiki or forum will allow them to see the completed reviews and take action as soon as they're done and the risks are agreed. For example, the example I created above took 1 minute to find, and about an hour to research write up.

Once the code base is fixed, and we're certain that 2.0.x doesn't also suffer from the same problems, I'd like for the review to be made public. That way other projects and the devs can read through the history and be aware of the sort of things they should be looking for.
5. When will all this start?
Let's start now on PHP 3.0 as it seems close to release. That way we know that 3.0 can be released and let go for some time and makes a strong recommendation for hosters to foist it upon their recalcitrant PHP 2.0.x boards. Hosters hate being attacked.
6. Do you have a timeline??
Volunteer projects have a history of going for longer than you expect. I expect this to take about 30 * 8 = 240 hours, divided by four people who can contribute maybe 5 to 10 hours a week may take six to eight weeks to complete. Of course, I could be wildly off course - maybe some of you are at Uni or have lots of free time and can contribute more than average. Until we start, don't know for sure.

Andrew
programmermatt
Registered User
Posts: 9
Joined: Sat Dec 18, 2004 4:27 pm
Location: FunLand
Contact:

Re: What is Involved in a code review of phpBB??

Post by programmermatt »

I am willing to volunteer. I am not a formal phpBB developer or regular contributer, but I do like phpBB, am a (self-proclaimed) proficient PHP programmer. I also use phpBB quite frequently and would like to think I have become familiar with the code. At one point I was looking to integrate it with an open source project I am working on, but it was decided that for our needs it would be better to write one from scratch.

Anyway, I would be generally able to contribute 1-10 hours a week (yes, it can flucate that much :)). A more significant contribution I could make would be hosting. I could host the forums and wiki (as a combination of both seems optimal to me), as long as the general public does not gain addmitance (as I might be afraid of going over my bandwidth).
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

I already have a forum in place for a semi-abandoned project to create a next gen PHP 5.0 only MVC all singing all dancing forum. I have 16 GB a month to play with, so no problems with bandwidth on my end. No one visits the forum any more (not that many joined).

I've locked the forums down. You need to know where it is, you need to register, and you need to ask for a password to get into the forum to see the contents. That should provide enough privacy from random passers by.

Image

I'll PM the details to those who have expressed an interest.

thanks,
Andrew
Alagba
Registered User
Posts: 68
Joined: Thu May 22, 2003 1:32 pm

Re: What is Involved in a code review of phpBB??

Post by Alagba »

LOL!!! There are different ways to become part of any team whatsoever. I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?

Is it really a pretext of doing a code review and when it's rejected by the legitimate dev team, all of sudden turns up as phpBB "reviewed" or "improved" something like that?

Just wondering:-)
programmermatt
Registered User
Posts: 9
Joined: Sat Dec 18, 2004 4:27 pm
Location: FunLand
Contact:

Re: What is Involved in a code review of phpBB??

Post by programmermatt »

First off, it would be well within our rights to fork phpBB if we wanted to as it is published under the GPL.

Second, I have no intention of doing so as I don't have the time in addition to my other projects. I am suprised I have time for this.

Third, I see what you people do to gracious devs here. I have never before seen a group of people (phpbb dev team) work so hard for free, to get treated in the way they do by their community. IT'S OSS! It isn't supposed to make deadlines, it isn't supposed to come through always. That is the beauty of it. When it does come out, it is a suprise. Everyone can then all be like: "OMG!! It's done! I am going to call all my friends!!".

Forth, the review was never rejected, as I see it, just viewed the wrong way by everyone but the dev team and the dev team got agitated.
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?
Good point, but no dice. Here's what's on my out of hours list of things to do so far:
  • OWASP Guide 2.0 editorship. Need to finish that effort by around April 18 when I'm presenting it to linux.conf.au's security mini-conf
  • linux.conf.au: Need to create a 50-55 minute presentation on above
  • phpBB code review: when it's done, it's done
  • eat
  • have a social life
  • watch Tivo. A lot. It records way more than I actually view
  • Rub my cats' tummies (they hate it, but someone has to do it)
  • Go to WeightWatchers once a week. Go to the gym on the other nights
  • Finally get through the Firefly DVD box set I bought a few months back
  • Play Civ 3. I can't help myself
  • Run my 2500 member Volkswagen forum (which runs XMB 1.9.1)
  • Develop the scalable version of XMB Xtreme as I promised a friend I would
  • Sleep
Without cloning me, if you can see any spare time to fork phpBB or work on Gaia itself, please let me know. I'm sure I can find more time for Civ3 or watching Tivo.

You will be able to tell if I ever change my mind ... there will be a XMB 1.9.1 -> phpBB 3.0 convertor popping out. :)

Andrew
Locked