What is Involved in a code review of phpBB??

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Alagba
Registered User
Posts: 68
Joined: Thu May 22, 2003 1:32 pm

Re: What is Involved in a code review of phpBB??

Post by Alagba »

programmermatt wrote: First off, it would be well within our rights to fork phpBB if we wanted to as it is published under the GPL.
That's not being disputed.
programmermatt wrote: Forth, the review was never rejected, as I see it,...
Well, I should have said sth like "...if/when it's rejected by the legitimate dev team, all of a sudden ...."

The beauty of the open source movement which I love ) is collaboration but don't forget the saying "too many cooks ..."

The phpBB dev team is one of the best around and I don't think there's any justification for the hassle they've been facing on this board. After all, these are pros doing volunteer work. They deserve all the accolades they can get. If anyone is interested in making a name for themselves, let them go ahead and start a project from scratch not build on another's foundation without due credit or recognition.
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

I wont go down this path too much as it's been a painful path so far. But to put your suspicions at rest, here's what I posted in the other place earlier this afternoon (well before your post):
Once I'm happy with the results of the 2.0.13 issues, I will put them into the security tracker. They need to be fixed.

On the 3.0 issues, if they ask for a login (and I hope they do), they can look at the posts just as you and I do. If they don't, I think the best bet is to finish a section (like Authentication) and report the issues en masse to the security tracker.

In the past, I've found that dealing with five issues dumped at once (particularly those with fixes) are easy to cope with. If we dump 250 items on them (worst case scenario), it's too much to cope with.
(The plan is to teach the volunteer reviewers how to do security reviews using the outstanding three bugs for 2.0.13 on Bugtraq, and then move on to doing the 3.0 code base after that.)

If this comes to fruition, you can see the process working in the way I intend - visible improvements to the phpBB code base, reviewer's skills coming up, and issues we discover fixed by the phpBB devs in a risk assessed way to minimize the use of their time. As it turns out, none of the volunteers is a dev, but that's okay. We'll muddle through somehow.

Andrew
Alagba
Registered User
Posts: 68
Joined: Thu May 22, 2003 1:32 pm

Re: What is Involved in a code review of phpBB??

Post by Alagba »

Don't get me wrong vanderaj. It's a free world, innit? Wishing you the very best in your project. But that still doesn't overcome my uneasiness. that's all.
blobber
Registered User
Posts: 96
Joined: Wed Mar 16, 2005 6:28 pm

Re: What is Involved in a code review of phpBB??

Post by blobber »

Hi !

I think, all this sounds rather interesting - I'm sure the project could benefit from it.

Even if there shouldn't be any immediate dev-team feedback because of their time-constraints , the project itself might extremely benefit from the work that you mentioned above and would have to do anyway.

So, examining and documenting the architecture (code & db) is probably well worth it in its own - regardless of any security holes that you might find, said technical docs would certainly be very welcomed by many people. So, writing down the purposes of each file, function, object and method would probably be pretty useful in itself - as well as documenting what files/functions are accessing what tables.

I'm pretty sure that such technical docoumentation would ultimately turn out to be very useful to many people, however I doubt that something like that can be managed within 2-3 months - it's quite a job to document software that you've written yourself, to document software that others have written can become quite a challenge, particularly without any developers involved.

On the other hand, making use of source code documentation tools would probably simplify the task a lot.

Also, as long as you keep planning to do this review while the actual development itself goes on, it would probably be wise to really talk to the authors, so that you folks can concentrate on those parts of the code that are close to finished, instead of examining and debugging any pre-alpha code that might be subject to change anyway.

While I am currently not sure whether I could really afford the time to be of much use to such an undertaking, I'm definitely very much interested in it - indeed, security-related thoughts originally made me sign up here. So, I'm not sure how many people you have currently attracted to your idea, but personally I'd definitely love to get some more information - you mentioned various docs that one should have read, I'd like to suggest that you assemble some simple information package and make it downloadable anywhere, so that everybody can check out everything in order to be able to make a realistic assessment about the required level of expertise to be really helpful.

You said, that you were understandably looking for as many helpers as possible, I guess you could attract an even larger audience by posting at phpBB.com - there seem to be plenty of folks who are familiar with the internals of phpBB, and even more important: the folks there seem to have much more spare time at their hand than the dev team itself, or even those users that are registered at area51.

I'd recommend to formulate some requirements (i.e. php/sql knowledge, phpBB familiarity, 1-xx hrs spare time/week, regular internet access etc.) and post a summary of what you have described above.

So, if you introduce your goals and provide some basic information about the requirements, as well as making available a package that contains all relevant security related docs, it's gonna be much easier for people to really decide whether they can/want to contribute or not.

P.S.: Taking into account your security-related background, I have to admit that I'd love to see some feedback from you about my idea to potentially increase phpBB's security towards SQL injection attacks by requiring a dynamic scope/context for each query in order to validate each query before actually executing it.
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

Wow. A lot of points.

We're not creating architecture documentation. Just enough to understand how the application hangs together. We may end up waving a big wand over large swathes of the code and say "that's the XXX component".

Agreed that some form of documentation would be a boon, but it's not the main focus of the review. However, if we write patches, what would be useful is to know if we're allowed to use JavaDoc style comments at the top of functions we modify to keep a change history? Self documenting code is a minimum security requirement as far as I'm concerned.

We wish to interact with the devs, no doubt about that.

As I've had another thread deleted on phpBB.com and the rules prohibit the posting of security information (at least in the views of one mod there), I'm not going to post back on phpBB.com's forum. I've got four volunteers + me so far, so I'm going to start with that. If you'd like to help, PM me, and I'll pass on the info on where to find the effort.

Andrew
Alagba
Registered User
Posts: 68
Joined: Thu May 22, 2003 1:32 pm

Re: What is Involved in a code review of phpBB??

Post by Alagba »

Agreed that the idea is good. Isn't this a subtle way of hijacking phpBB dev effort on the phpBB dev forum?
SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: What is Involved in a code review of phpBB??

Post by SamG »

Remember that a community-assisted security review of Olympus is already on the agenda, slotted to take place between the beta and RC stages. Additionally, psoTFX already noted his interest in vanderaj's basic idea applied to a security review of Olympus at the appropriate time.
"I hate trolls!" - Willow Ufgood
SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: What is Involved in a code review of phpBB??

Post by SamG »

vanderaj wrote: ... As I've had another thread deleted on phpBB.com and the rules prohibit the posting of security information (at least in the views of one mod there), I'm not going to post back on phpBB.com's forum.
I'm not aware of the content of the thread you've mentioned, but let me note that in the view of all phpBB.com moderators, posting phpBB security issues in the open forums is disallowed, as per the phpBB.com administrators' explicit instructions. The phpBB security tracker is the vehicle of choice for reporting phpBB security issues.
"I hate trolls!" - Willow Ufgood
vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

And so the security discussion moves from phpBB to bugtraq where the damage to your users is so much worse.

Some background. In the early 1990's, CERT used to be the clearing house for security related bugs. Their interface then was remarkably like the security tracker - a one way device. They had a policy of never releasing the bugs until the vendors had a fix. The vendors knew this, so they never patched the bugs. In this way, critical fixes, like the DNS -procedural- issue noted around 1992 which could have *destroyed* the Internet's very naming structure if abused, wasn't fixed until bind 8 came out, and even then it was a huge issue until bind 4.9x was not used in a major way any more.

Covering up security (security through obscurity is the term we use) NEVER works. Never has, never will. Removing security discussion is counterproductive. The most secure cryptosystems are those which are completely in the open and are subject to extensive, specialist and microscopic review.

Doing security at point X is also somewhat pointless. It means you're "secure" at point X, not intrinsically and not for all time. Security is a continuous process. Secure products, security starts on the back of the napkin or envelope where the great idea pops out. Security is a mind set, what I call "thinking evil". If you don't think evil, your software will have security bugs, and procedural issues which will allow an attacker to bypass your software's controls.

The length of time I think the code review we're undertaking will take means that starting now is a good idea. It sounds like Olympus is nearly ready, so now is the time to start. So we've started. I hope the devs are able to use the output we create.

Andrew
blobber
Registered User
Posts: 96
Joined: Wed Mar 16, 2005 6:28 pm

Re: What is Involved in a code review of phpBB??

Post by blobber »

Vanderaj, as I said I am not yet entirely sure about of how much use I could be in the long run, but feel free to send me any links to docs that your volunteers should have read, I think it will be much easier for me to make a realistic assessment then.

Despite from what vanderaj already mentioned, I don't get what's the point in deleting a posting which is not specifically about any particular security issues, but rather about looking for volunteers who would be willing to participate in a code reviewing effort to -ultimately- support the dev team ?
Such a call should be perfectly legitimate, shouldn't it ?

Also, to some extent I think vanderaj's statement about exploits being posted using the bugtracker is worth to think about.

So, even if only a small number of competent people should be found by posting a corresponding call on phpBB.com, the reviewing effort is probably going to take less time with more competent people on the team.
And I am still sure that you can find pretty competent folks over there, regardless of whether they are actually part of the dev team or not.

Looks, like there might gonna be a "Security Consultants" team some time in the future ;-)
... which would also create the possibility to let certain users post exploits in some hidden forum here, maybe that would address the problems that are caused by phpBB's policy about discussing security related issues ?
Locked