Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100158
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46124 invoked from network); 5 Aug 2017 22:50:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2017 22:50:07 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.171 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.161.171 mail-yw0-f171.google.com  
Received: from [209.85.161.171] ([209.85.161.171:35997] helo=mail-yw0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/50-34801-C9B46895 for <internals@lists.php.net>; Sat, 05 Aug 2017 18:50:05 -0400
Received: by mail-yw0-f171.google.com with SMTP id u207so26734065ywc.3
        for <internals@lists.php.net>; Sat, 05 Aug 2017 15:50:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=Zn+y1UrRCp9FAgHz3rgGIxRE5AHdlGJ/+B4iloY3YVg=;
        b=Cd0xt6WxOIvZNx8K7uOuyi7XO6EyCjYyiuWtaBG3J8/EDQ96BCYD7t/WECh0K1+Aid
         dSB4S/C4G2KUlGcLfir8Mga9ygyWq7IG03eJCtmmJqtaeKY/6ASvStviQOPT9Chy/6Ha
         WCAiWzBlatp8+384j4x817h7DR6ucoAR1ZNPZPQkX4RwQSkPqOVuvWQiTTYswsDLef62
         HMptW0KegMgPolSkFlF+hyqikYC8KqIfZnUqDad+vQOWwI8GTJeLEwR8UGdkNG3brVdy
         cmqZgWybi0OdZrUSUsQIEbvDGdDO9hS0v5ozyVbnWc+Fnt6ZbwLhd+xhlzl8CAlSO5LK
         gC3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Zn+y1UrRCp9FAgHz3rgGIxRE5AHdlGJ/+B4iloY3YVg=;
        b=j+4W9tofECPADDpZlTmQw5UgZfzIyy9xyrUFUIyVd1uSRuQ8JD4zS9kLko05KdZq08
         10M6mlvMVEcpcZD2CVh0rEpcFk48eyb26DY+nT6DRQ4E4AYCrIo4KMJXFcl7ctCkW+HO
         IzQVLbFLKncSw7e+KRBGvIPxkG97CECWCmLUjkVB7rd2I26CYCXC35+WTlfoQwcAi4Pl
         2bGCyzikHH1oc0yxWKewjpXeyjVSKS7FlENzcu+FvFz2NofFuj4Tpc/cdsnblDrYuzYA
         Mz3eVie7/3Lqzy4+xAMmugNvPXg1mTpfFlA+jX1D56PghIkzkbhUkluGu0zMLvO7pS00
         k45A==
X-Gm-Message-State: AHYfb5jgsOQAoS3uczgD9joLci5qJLWL9UcbVTBVOeb1CP9LDI2WW8FF
	0ypaphaPKfoEYOk90eg=
X-Received: by 10.37.94.11 with SMTP id s11mr5162378ybb.253.1501973401516;
        Sat, 05 Aug 2017 15:50:01 -0700 (PDT)
Received: from Stas-Pro-2016.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104])
        by smtp.gmail.com with ESMTPSA id d186sm1764106ywc.48.2017.08.05.15.50.00
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 05 Aug 2017 15:50:00 -0700 (PDT)
To: Nikita Popov <nikita.ppv@gmail.com>,
 PHP internals <internals@lists.php.net>
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
Message-ID: <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
Date: Sat, 5 Aug 2017 15:49:59 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
 Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Unserialize security policy
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
> bug, with the justification that unserialize() should not be fed untrusted
> input. While we do document that unserialize() shouldn't be used on
> untrusted input, we have always treated these as security bugs in the past.

Not always, but sometimes we did. I think we should stop doing it, as to
not validate the idea that unserialize can safely be used with untrusted
data (it can't, and it doesn't look likely that it ever will be, at
least not without comprehensive rewrite and possibly removing references
support, which is not likely to happen).

If anybody strongly feels that this is wrong, we can make an RFC about
it, but given the current state of unserialize(), I can not say we can
support such usage scenario in the current state of unserialize() code,
and would like to hear arguments to the contrary.

If somebody wants to do something about it, please feel welcome, we have
a number of open unserialize bugs right now (if you want to work on them
and don't have access to private bugs and you believe you should -
please ask on security@ list).

-- 
Stas Malyshev
smalyshev@gmail.com