I'm moderately competent at PHP, ASP.NET (in particular C#), and J2EE. The last is mainly due to my job (years of ferreting through financial apps), for which reason I also know VBscript (for old ASP apps) and VB.NET. I don't program in J2EE, ASP or VB.NET.
In the distant past, I've programmed in Pascal (uni and Mac days), and more recently C, C++, DEC Alpha and x86 assembler when I was in my Linux / XFree86 and pnm2ppa phase. I tried vectorizing pnm2ppa, but at the time MMX wasn't as great a win as I thought it'd be and the loss of precision had a very bad image quality impact. SSE3 processors probably would change that, but I don't have that printer any more.
I mainly program in PHP these days, but I prefer .NET if I'm writing tools for just little ol' me.
Andrew
What is Involved in a code review of phpBB??
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
- Registered User
- Posts: 9
- Joined: Sat Dec 18, 2004 4:27 pm
- Location: FunLand
- Contact:
Re: What is Involved in a code review of phpBB??
There are 87,527 lines of code in sql, js and php files (by my count) in phpBB2. By your figure, this is 875.3 to 87.5days. I believe that you said you were taking volunteers ?vanderaj wrote: What sort of code review? If you mean security code review, the metrics I use are 100 to 1000 lines = 1 day of work, depending on the depth you want to go to. It seems to just work out that way.
-
- Registered User
- Posts: 29
- Joined: Sat Oct 25, 2003 6:57 am
- Location: Melbourne, Australia
- Contact:
Re: What is Involved in a code review of phpBB??
Yes.
I never review Javascript as it's trivial to circumvent. The user controls the Javascript, not the server.
SQL will only be reviewed if there's stored procedures in there. If there's no stored procedures, the major reason for looking at the schema is to ensure that data is as strongly typed as possible (ie dates are really SQL dates, post counts are int's, and booleans are either sets or real booleans, and varchars are kept to a minimum size (ie bare zip codes are 5 digits long, and with 5 characters it is very hard to do a meaningful SQL injection with that field).
Andrew
I never review Javascript as it's trivial to circumvent. The user controls the Javascript, not the server.
SQL will only be reviewed if there's stored procedures in there. If there's no stored procedures, the major reason for looking at the schema is to ensure that data is as strongly typed as possible (ie dates are really SQL dates, post counts are int's, and booleans are either sets or real booleans, and varchars are kept to a minimum size (ie bare zip codes are 5 digits long, and with 5 characters it is very hard to do a meaningful SQL injection with that field).
Andrew
-
- Registered User
- Posts: 6
- Joined: Thu Apr 08, 2004 7:14 am
Re: What is Involved in a code review of phpBB??
You said at some point, and I tend to agree, that the 2.0.X branch is more pressing, in terms of a security review.
So, I have read a bit now and it sounds interesting. So what do you need? And by that, i mean be specific. Some questions that need answering:
1. How many people?
2. Is a "staffer" an absolute requirement?
3. Who will run the project (I assume you)?
4. How will it be co-ordinated?
5. When will all this start?
6. Do you have a timeline??
In order to garner volunteers, that is the sort of info required, and if you need certain things, qwork out if you can get them sooner rather than later, and go from there.
So, I have read a bit now and it sounds interesting. So what do you need? And by that, i mean be specific. Some questions that need answering:
1. How many people?
2. Is a "staffer" an absolute requirement?
3. Who will run the project (I assume you)?
4. How will it be co-ordinated?
5. When will all this start?
6. Do you have a timeline??
In order to garner volunteers, that is the sort of info required, and if you need certain things, qwork out if you can get them sooner rather than later, and go from there.
-
- Registered User
- Posts: 29
- Joined: Sat Oct 25, 2003 6:57 am
- Location: Melbourne, Australia
- Contact:
Re: What is Involved in a code review of phpBB??
Yes, it's more pressing from a real world point of view. 99.9+% of production phpBB installs are not Olympus. But in some ways, if Olympus is really close to being released, then a code review now will help that stay secure and give a good reason for upgrading. That takes some pressure off doing the 2.0.x branch for a little bit.projectphp wrote: You said at some point, and I tend to agree, that the 2.0.X branch is more pressing, in terms of a security review.
As a bit of history though, I "fixed" XMB 1.9.1 like this, and the back ports to 1.8 never happened - no one had the time or the inclination to fix it. I started 1.8 SP4 several times. The fixes were so extensive, often it was simply easier to replace entire files with 1.9.1 files and change them to work with 1.8 templates (so new underpinnings, old look and feel).
As many as I can get. So far, two or three. Certainly, keeping it down to about five or so helps as sometimes, there's too many helpers and coordination becomes n^2 difficult. However, luckily, security reviews are easily parellizable once skill levels come up.So, I have read a bit now and it sounds interesting. So what do you need? And by that, i mean be specific. Some questions that need answering:
1. How many people?
The best way to learn how to do a security code review is to do them, and ask questions. I'll take the volunteers I have so far through about an hours' worth of training in threat modelling and recommend they read a certain chapter of Threats and Countermeasures - a free PDF book by MS.
Then to ensure that we're all on the same page, we'd go through the "low lying fruit" examples as they are easy to learn, easy to exploit, and often yield the highest paybacks. For example, you search for fopen(), system(), getenv() and $_SERVER, and the major variables $_GET and friends. Once you find the places they are used, you apply STRIDE and see if there's a problem. If there is, you write it up. If there isn't a problem, instead I write "Such and such was investigated and found to be safe." If the safety goes beyond a happy circumstance, I write about the controls found. This can really help instill confidence in the coders that they're on track and doing well. Otherwise a security review reads like a Chicken Little report and helps no one as it really puts off even coders with ultra thick skins.
No, but familiarity with the code and PHP coding will really help. Failing that, a great deal of enthusiasm to learn the innards of a major project - once complete, you may know the code better than some of the devs. Security reviews often crawl around in the darkest spots in many code bases.2. Is a "staffer" an absolute requirement?
I like being collaborative. I'm not fussed. In the open source world, the person who contributes the most is often the "leader" (fwiw) by default.3. Who will run the project (I assume you)?
This is an interesting question. For this to be effective, as I'm in Australia (+11 UTC this week, +10 in a couple of weeks due to DST), and I'm fairly certain that most of the volunteers so far are not in Australia, it has to be via a private forum or a private blog or wiki. E-mail could work, but it starts to get hairy once there's more contributors and the attachment sizes creep up (most of my documents end up being about 3-4 MB in size due to screen shots and inclusions). Sticking with a wiki or a forum helps as everyone has a browser.4. How will it be co-ordinated?
As each vulnerability can usually be fixed quickly by devs, unlike a normal review I do for clients, I don't want them to wait for the result of the entire review. Using a wiki or forum will allow them to see the completed reviews and take action as soon as they're done and the risks are agreed. For example, the example I created above took 1 minute to find, and about an hour to research write up.
Once the code base is fixed, and we're certain that 2.0.x doesn't also suffer from the same problems, I'd like for the review to be made public. That way other projects and the devs can read through the history and be aware of the sort of things they should be looking for.
Let's start now on PHP 3.0 as it seems close to release. That way we know that 3.0 can be released and let go for some time and makes a strong recommendation for hosters to foist it upon their recalcitrant PHP 2.0.x boards. Hosters hate being attacked.5. When will all this start?
Volunteer projects have a history of going for longer than you expect. I expect this to take about 30 * 8 = 240 hours, divided by four people who can contribute maybe 5 to 10 hours a week may take six to eight weeks to complete. Of course, I could be wildly off course - maybe some of you are at Uni or have lots of free time and can contribute more than average. Until we start, don't know for sure.6. Do you have a timeline??
Andrew
-
- Registered User
- Posts: 9
- Joined: Sat Dec 18, 2004 4:27 pm
- Location: FunLand
- Contact:
Re: What is Involved in a code review of phpBB??
I am willing to volunteer. I am not a formal phpBB developer or regular contributer, but I do like phpBB, am a (self-proclaimed) proficient PHP programmer. I also use phpBB quite frequently and would like to think I have become familiar with the code. At one point I was looking to integrate it with an open source project I am working on, but it was decided that for our needs it would be better to write one from scratch.
Anyway, I would be generally able to contribute 1-10 hours a week (yes, it can flucate that much ). A more significant contribution I could make would be hosting. I could host the forums and wiki (as a combination of both seems optimal to me), as long as the general public does not gain addmitance (as I might be afraid of going over my bandwidth).
Anyway, I would be generally able to contribute 1-10 hours a week (yes, it can flucate that much ). A more significant contribution I could make would be hosting. I could host the forums and wiki (as a combination of both seems optimal to me), as long as the general public does not gain addmitance (as I might be afraid of going over my bandwidth).
-
- Registered User
- Posts: 29
- Joined: Sat Oct 25, 2003 6:57 am
- Location: Melbourne, Australia
- Contact:
Re: What is Involved in a code review of phpBB??
I already have a forum in place for a semi-abandoned project to create a next gen PHP 5.0 only MVC all singing all dancing forum. I have 16 GB a month to play with, so no problems with bandwidth on my end. No one visits the forum any more (not that many joined).
I've locked the forums down. You need to know where it is, you need to register, and you need to ask for a password to get into the forum to see the contents. That should provide enough privacy from random passers by.
I'll PM the details to those who have expressed an interest.
thanks,
Andrew
I've locked the forums down. You need to know where it is, you need to register, and you need to ask for a password to get into the forum to see the contents. That should provide enough privacy from random passers by.
I'll PM the details to those who have expressed an interest.
thanks,
Andrew
Re: What is Involved in a code review of phpBB??
LOL!!! There are different ways to become part of any team whatsoever. I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?
Is it really a pretext of doing a code review and when it's rejected by the legitimate dev team, all of sudden turns up as phpBB "reviewed" or "improved" something like that?
Just wondering:-)
Is it really a pretext of doing a code review and when it's rejected by the legitimate dev team, all of sudden turns up as phpBB "reviewed" or "improved" something like that?
Just wondering:-)
-
- Registered User
- Posts: 9
- Joined: Sat Dec 18, 2004 4:27 pm
- Location: FunLand
- Contact:
Re: What is Involved in a code review of phpBB??
First off, it would be well within our rights to fork phpBB if we wanted to as it is published under the GPL.
Second, I have no intention of doing so as I don't have the time in addition to my other projects. I am suprised I have time for this.
Third, I see what you people do to gracious devs here. I have never before seen a group of people (phpbb dev team) work so hard for free, to get treated in the way they do by their community. IT'S OSS! It isn't supposed to make deadlines, it isn't supposed to come through always. That is the beauty of it. When it does come out, it is a suprise. Everyone can then all be like: "OMG!! It's done! I am going to call all my friends!!".
Forth, the review was never rejected, as I see it, just viewed the wrong way by everyone but the dev team and the dev team got agitated.
Second, I have no intention of doing so as I don't have the time in addition to my other projects. I am suprised I have time for this.
Third, I see what you people do to gracious devs here. I have never before seen a group of people (phpbb dev team) work so hard for free, to get treated in the way they do by their community. IT'S OSS! It isn't supposed to make deadlines, it isn't supposed to come through always. That is the beauty of it. When it does come out, it is a suprise. Everyone can then all be like: "OMG!! It's done! I am going to call all my friends!!".
Forth, the review was never rejected, as I see it, just viewed the wrong way by everyone but the dev team and the dev team got agitated.
-
- Registered User
- Posts: 29
- Joined: Sat Oct 25, 2003 6:57 am
- Location: Melbourne, Australia
- Contact:
Re: What is Involved in a code review of phpBB??
Good point, but no dice. Here's what's on my out of hours list of things to do so far:I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?
- OWASP Guide 2.0 editorship. Need to finish that effort by around April 18 when I'm presenting it to linux.conf.au's security mini-conf
- linux.conf.au: Need to create a 50-55 minute presentation on above
- phpBB code review: when it's done, it's done
- eat
- have a social life
- watch Tivo. A lot. It records way more than I actually view
- Rub my cats' tummies (they hate it, but someone has to do it)
- Go to WeightWatchers once a week. Go to the gym on the other nights
- Finally get through the Firefly DVD box set I bought a few months back
- Play Civ 3. I can't help myself
- Run my 2500 member Volkswagen forum (which runs XMB 1.9.1)
- Develop the scalable version of XMB Xtreme as I promised a friend I would
- Sleep
You will be able to tell if I ever change my mind ... there will be a XMB 1.9.1 -> phpBB 3.0 convertor popping out.
Andrew