Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100171
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1520 invoked from network); 10 Aug 2017 08:49:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Aug 2017 08:49:39 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.43 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.214.43 mail-it0-f43.google.com  
Received: from [209.85.214.43] ([209.85.214.43:35263] helo=mail-it0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 98/1F-34801-22E1C895 for <internals@lists.php.net>; Thu, 10 Aug 2017 04:49:39 -0400
Received: by mail-it0-f43.google.com with SMTP id 76so10037890ith.0
        for <internals@lists.php.net>; Thu, 10 Aug 2017 01:49:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=i5UKvFpK2Bu/ZF0uwE4Mwkee5PqyOl9Qrr9OHBz9nYw=;
        b=LCyUymdoh4JrP3JAk93pQO5B2r2M3GLCSWi7DK/+zVeHv7XMhlj6SmLd+zcUfo6b+m
         9QqC62nr/tiClrN7LkDEH2mgav4Sb9qgkX8jE6qO1oh2zZhBVQ2PpmteirJ451+dJymx
         yB3KBurkJhmtNNlYX7r+6I7FUmhz+wlBHNRmd9JZDMG/xOb4GULCOJGs5UcGv/waMVVs
         fkjcFmhyaZxV7+HXilZRU89yzWc5huk/mBfjqQoPQA2w1lc7pVyxorap4JgaPEbbTsLL
         TN4OwsI6qpR/rCCTDZWV0d3VB0kux7WQjZDzmWhI+Mc1KjWBSQRDboArYk5MoDM/3CIr
         g2Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=i5UKvFpK2Bu/ZF0uwE4Mwkee5PqyOl9Qrr9OHBz9nYw=;
        b=Sz3pkbmDH866tjROf/o6rSCrK1UZm1dKnWdI8J2JFEnX/H8LLT5R7Ab4LoBcImF+PH
         XU1OTt0A3V5HqNnx2tPjLyeCy+rHZ+NjaYAyOZg/Gad4XTqzOxkfbNr4fLyWp5BeXgTP
         DZyZ1qcpRCTYtUR+bxoYRVNpUn5MGIG+EuFmj8KblTxA5o4h//b6vn9gy2gO+keYBnPq
         N8SMS7qcB7Cs9YrXgny1n727gEngLB9KpgvJcr9cJw2rneov6EpnMnMVenN+EN9bnXcz
         gJx5DMHuI4oPxJggZ0QM2aTdW2O+uFS5W7qJyD2AqeR5uMGHcPJD13ok3nBT62yqQAdn
         Rv8Q==
X-Gm-Message-State: AHYfb5hT9/T0jyVtqTz2donaGKNpY5t6MocPypogOiS7igVsEB7dx8fN
	v5w3kyfdQFqWRNlbcxyAsscAjAaM+g==
X-Received: by 10.36.163.69 with SMTP id p66mr11010433ite.142.1502354976547;
 Thu, 10 Aug 2017 01:49:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.13.3 with HTTP; Thu, 10 Aug 2017 01:49:35 -0700 (PDT)
In-Reply-To: <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
Date: Thu, 10 Aug 2017 10:49:35 +0200
Message-ID: <CAF+90c_RUYwFgXK6rYvspvm1w+MUaeimRVzMJzHyWVj_t3oYXA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="94eb2c049858b429ce0556624659"
Subject: Re: [PHP-DEV] Unserialize security policy
From: nikita.ppv@gmail.com (Nikita Popov)

--94eb2c049858b429ce0556624659
Content-Type: text/plain; charset="UTF-8"

On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
> > bug, with the justification that unserialize() should not be fed
> untrusted
> > input. While we do document that unserialize() shouldn't be used on
> > untrusted input, we have always treated these as security bugs in the
> past.
>
> Not always, but sometimes we did. I think we should stop doing it, as to
> not validate the idea that unserialize can safely be used with untrusted
> data (it can't, and it doesn't look likely that it ever will be, at
> least not without comprehensive rewrite and possibly removing references
> support, which is not likely to happen).
>
> If anybody strongly feels that this is wrong, we can make an RFC about
> it, but given the current state of unserialize(), I can not say we can
> support such usage scenario in the current state of unserialize() code,
> and would like to hear arguments to the contrary.
>
> If somebody wants to do something about it, please feel welcome, we have
> a number of open unserialize bugs right now (if you want to work on them
> and don't have access to private bugs and you believe you should -
> please ask on security@ list).
>

Thanks everyone for the clarification. I agree that this is the right
decision. I think it would be good to update the security policy to
explicitly mention unserialize(), as this is probably our largest source of
security bug reports right now, so there's bound to be questions from
security researchers regarding this.

Nikita

--94eb2c049858b429ce0556624659--