Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100149 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32904 invoked from network); 2 Aug 2017 21:24:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2017 21:24:38 -0000 Authentication-Results: pb1.pair.com smtp.mail=zeev@zend.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=zeev@zend.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain zend.com from 104.47.32.134 cause and error) X-PHP-List-Original-Sender: zeev@zend.com X-Host-Fingerprint: 104.47.32.134 mail-sn1nam01on0134.outbound.protection.outlook.com Received: from [104.47.32.134] ([104.47.32.134:20288] helo=NAM01-SN1-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/AE-22887-41342895 for ; Wed, 02 Aug 2017 17:24:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RWSoftware.onmicrosoft.com; s=selector1-zend-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6cSu3EFMxobjpYDXijt174hsRUhO2Wd3fChhzWKDBQ8=; b=6NDMUvMsKQpqt3+RhDBSha1VUx1qiBQQ4ulDSdwpoYLTn5+krlU+cqcl4o87XQ7Ll9tHQU8vwMr+nEummQUeENoCUjCLLMZG5ZmahqbDZjdujKL6xlVrrxcq/x542vuBRmMWyyWoQAK9jXIQxRnsOXDcP5lWCZKZuhJx4nGIebY= Received: from BY2PR02MB298.namprd02.prod.outlook.com (10.141.140.21) by BY2PR02MB299.namprd02.prod.outlook.com (10.141.140.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Wed, 2 Aug 2017 21:24:31 +0000 Received: from BY2PR02MB298.namprd02.prod.outlook.com ([10.141.140.21]) by BY2PR02MB298.namprd02.prod.outlook.com ([10.141.140.21]) with mapi id 15.01.1304.023; Wed, 2 Aug 2017 21:24:31 +0000 To: Nikita Popov CC: PHP internals Thread-Topic: [PHP-DEV] Unserialize security policy Thread-Index: AQHTC8pcQ1qpxZ4coUWGv0VaOH5hKKJxk+Ab Date: Wed, 2 Aug 2017 21:24:31 +0000 Message-ID: <4F66B4F4-B98B-4CBC-8BE2-CA019657117A@zend.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=zeev@zend.com; x-originating-ip: [109.65.143.173] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BY2PR02MB299;7:ga5XRpBf1lvSaJkldW084d0ThqPYzAfToYWBqOmEJXlY8RNgPQ1rId5+Srp4J2ovaCijRawe/o5nyndkPylY476Rnwgsebvwn5hIC+A13XCdYCqrkZfnGpbc0pACPp1Fqq/Gmkdgk5T033phiFhN+fg/wc70N6k7NY8zonc/gpd76olNMa1cz4KViFBcbm56oBXh6EkjCls2GSQEo+VRBcVbj7XFekNovO371G2rJcuRFddPdYuY1W8GIdtrwc4xichBMdNQSRWm3xVD/eYwNowp9eekLhEL8nhv8nJrGfcPIdd+JPO6mzXL90yoO6PcFqE71Fj69f1PqFb3hh1Y5L/ScC8lywDzIAn3YWp2Df11oR3z3fNpXSTTkvdrFeuzSOoqfZr2CE7MDKCRoLoY3VlYY4VDdzentuu2wkNRgujCPyimyxD3OmlOj1+OqeyetppBEr/yuYoziLJXyLSb18crSy0w8yOH+B+9LXzjl9VU3VXbLj44994sF6/Jeoris4ybDwmdi8vQNPEs+BH9dbILzlw6YuReSSk0RAPeRzOe0r96J8oYjEOQQnBGWO8twlFIrG1dIW9EjxFoXIYpnvBLbS1RB4egqQtJHbq1u/7RmsWvY87wd5rjdcWyLhJDtTnJtgNzykVeFSBrkd2Zco8lpO832zCwZwjOw29RMkILvcA1MeeI+Ed3mXo3aSFHLMtv9DHC8nDTWBIFycsxgM1UFl/MiLeCVsWF5QMyMpsTXC87e4fc6ldIQM915g3cOPEJNodNn63k1STqb3gMMHvfCHyrhMPuEaW2JMyse+g= x-ms-office365-filtering-correlation-id: b07a71d2-f2ed-49ad-750b-08d4d9ecdd84 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BY2PR02MB299; x-ms-traffictypediagnostic: BY2PR02MB299: x-exchange-antispam-report-test: UriScan:(192374486261705); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3002001)(6041248)(20161123555025)(20161123560025)(20161123562025)(20161123564025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BY2PR02MB299;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2PR02MB299; x-forefront-prvs: 0387D64A71 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(979002)(6009001)(39450400003)(39840400002)(39410400002)(39400400002)(24454002)(189002)(54534003)(199003)(16799955002)(8936002)(2900100001)(83716003)(2906002)(81166006)(68736007)(53546010)(478600001)(25786009)(81156014)(6436002)(53936002)(110136004)(38730400002)(14454004)(86362001)(3846002)(102836003)(6246003)(6116002)(99286003)(2950100002)(8676002)(4326008)(39060400002)(966005)(77096006)(7736002)(229853002)(3660700001)(6486002)(305945005)(5660300001)(6306002)(6916009)(6512007)(50986999)(189998001)(36756003)(3280700002)(76176999)(6506006)(15650500001)(101416001)(97736004)(54356999)(82746002)(33656002)(66066001)(106356001)(105586002)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1102;SCL:1;SRVR:BY2PR02MB299;H:BY2PR02MB298.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: zend.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: zend.com X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2017 21:24:31.6005 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 32210298-c08b-4829-8097-6b12c025a892 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR02MB299 Subject: Re: [PHP-DEV] Unserialize security policy From: zeev@zend.com (Zeev Suraski) > On 2 Aug 2017, at 23:03, Nikita Popov wrote: >=20 > Hi, >=20 > https://bugs.php.net/bug.php?id=3D75006 has been marked as a non-security > bug, with the justification that unserialize() should not be fed untruste= d > input. While we do document that unserialize() shouldn't be used on > untrusted input, we have always treated these as security bugs in the pas= t. >=20 Correct, which was a mistake long overdue for fixing. Treating unserialoze issues as security creates the false sense that we exp= ect it to be secure, when we absolutely don't. We'll continue fixing these= bugs of course, But after discussing it on the security mailing list, we d= ecided to finally stop treating those as security issues. Unserialize is i= nherently insecure, people should know it and act accordingly. It may be worth a note in the ChangeLog to make it a bit more prominent.