From 3b32be9086aa2e3fb6926f9eda6477befd2ba478 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Mon, 27 Apr 2026 23:02:09 +0200 Subject: [PATCH 1/2] Clarify security classification for unsanitized args Clearly, some functions _should_ be hardened against malicious arguments. Clarify this only applies to some functions. --- security-classification.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security-classification.rst b/security-classification.rst index fd0d381..30f496a 100644 --- a/security-classification.rst +++ b/security-classification.rst @@ -99,8 +99,8 @@ We do not classify as a security issue any issue that: - requires invocation of specific code, which may be valid but is obviously malicious -- requires invocation of functions with specific arguments, which may be valid - but are obviously malicious +- requires passing malicious arguments to functions clearly not intended to + receive unsanitized values, e.g. $query in mysqli_query() - requires specific actions to be performed on the server, which are not commonly performed, or are not commonly permissible for the user (uid) From 9a509cbd129e82b5b4983b508c108e3feac59660 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Thu, 7 May 2026 18:34:01 +0200 Subject: [PATCH 2/2] Apply suggestion from Tim --- security-classification.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security-classification.rst b/security-classification.rst index 30f496a..4b6a01a 100644 --- a/security-classification.rst +++ b/security-classification.rst @@ -100,7 +100,8 @@ We do not classify as a security issue any issue that: malicious - requires passing malicious arguments to functions clearly not intended to - receive unsanitized values, e.g. $query in mysqli_query() + receive unsanitized values, e.g. mysqli_query(). escapeshellarg() on the + other hand should clearly be hardened against unsafe inputs. - requires specific actions to be performed on the server, which are not commonly performed, or are not commonly permissible for the user (uid)