Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100179
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73179 invoked from network); 11 Aug 2017 10:55:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Aug 2017 10:55:05 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.41 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.214.41 mail-it0-f41.google.com  
Received: from [209.85.214.41] ([209.85.214.41:35577] helo=mail-it0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 64/94-34801-80D8D895 for <internals@lists.php.net>; Fri, 11 Aug 2017 06:55:05 -0400
Received: by mail-it0-f41.google.com with SMTP id 76so26044548ith.0
        for <internals@lists.php.net>; Fri, 11 Aug 2017 03:55:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=tIpVFfHWKrAHeFjUncf+k/TAV90xUDU/cGMY3KA54lU=;
        b=n51lbPHsrgFxt2InTSXGxDb4xX8Ix4JSU4ayCu1ol+l9ITM+jOxl6GQV8hR2Mk82sT
         o1vHmj8+tmgTfjUj1MwORiF+tTmyxqfO36XIuk1KCO20ogJx2+tShIRIxPqHtIFUmrlo
         GIYsqBIvAetlEPDUPtX65apF3Zbl2TM5DS4dkC7zYuf9Mc+EEfANxPFkTK7jqNyC5XTW
         NdXCh40Wzu+atGHTESp+A0gzZYlpLUZFPYJmyuaPrF7006lCUKs34yzYAnWQxE/Zx0y/
         uV5zhW0QhZCTrJQTeEn23A03VuvnUb5B5jvHk6NK8RvTL+Eq9xKbPxczHoHKxwyNB3sp
         FT2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=tIpVFfHWKrAHeFjUncf+k/TAV90xUDU/cGMY3KA54lU=;
        b=Os/NZtszjYJUPmIN1R7hXQ4wq87KBCgnICncmP9Oejcr3RO46ARnNGlFjmCEbddYS1
         Y8LmuStG2fZH9BR3G4iLKvmWxcDa0ezIb60gA0l+fk1ukHHFkkwZSt/48B/zrxgAc3tk
         1BNfA25IkhdqjrAVSZ0EtdkvXjq5N0JX0zKMH/ei5U/RayrSKxO9vnjZ0S9lTb8ko648
         N2nDAxJDainVCQ2JrXWLFqVNuhd84P6gOtMgBjOVn8J+Kjtv4PEJJzV2HglFIBSCtL44
         vVs/DcwV6dtZeqr294AjxJwYFmcm1vs3YSubPFxANv3WLCM0DLINl0VjE6gKlZT55lb4
         HO6Q==
X-Gm-Message-State: AIVw110dZQ0iNBuqjui/drL2IKjKJwomYOHSp2EBsU4xR6cnPdBN5scc
	bkK0HKK6CjRD8ExHU6EID0IQ6YDo+w==
X-Received: by 10.36.79.13 with SMTP id c13mr12968092itb.26.1502448902390;
 Fri, 11 Aug 2017 03:55:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.13.3 with HTTP; Fri, 11 Aug 2017 03:55:01 -0700 (PDT)
In-Reply-To: <CAF+90c_RUYwFgXK6rYvspvm1w+MUaeimRVzMJzHyWVj_t3oYXA@mail.gmail.com>
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com> <CAF+90c_RUYwFgXK6rYvspvm1w+MUaeimRVzMJzHyWVj_t3oYXA@mail.gmail.com>
Date: Fri, 11 Aug 2017 12:55:01 +0200
Message-ID: <CAF+90c-PumhFT0spXrLfEDZ-R3pY+HRAnuX+2m_aOu=RJ6qOJQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a11449eb41ec70d0556782503"
Subject: Re: [PHP-DEV] Unserialize security policy
From: nikita.ppv@gmail.com (Nikita Popov)

--001a11449eb41ec70d0556782503
Content-Type: text/plain; charset="UTF-8"

On Thu, Aug 10, 2017 at 10:49 AM, Nikita Popov <nikita.ppv@gmail.com> wrote:

> On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev <smalyshev@gmail.com>
> wrote:
>
>> Hi!
>>
>> > https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
>> > bug, with the justification that unserialize() should not be fed
>> untrusted
>> > input. While we do document that unserialize() shouldn't be used on
>> > untrusted input, we have always treated these as security bugs in the
>> past.
>>
>> Not always, but sometimes we did. I think we should stop doing it, as to
>> not validate the idea that unserialize can safely be used with untrusted
>> data (it can't, and it doesn't look likely that it ever will be, at
>> least not without comprehensive rewrite and possibly removing references
>> support, which is not likely to happen).
>>
>> If anybody strongly feels that this is wrong, we can make an RFC about
>> it, but given the current state of unserialize(), I can not say we can
>> support such usage scenario in the current state of unserialize() code,
>> and would like to hear arguments to the contrary.
>>
>> If somebody wants to do something about it, please feel welcome, we have
>> a number of open unserialize bugs right now (if you want to work on them
>> and don't have access to private bugs and you believe you should -
>> please ask on security@ list).
>>
>
> Thanks everyone for the clarification. I agree that this is the right
> decision. I think it would be good to update the security policy to
> explicitly mention unserialize(), as this is probably our largest source of
> security bug reports right now, so there's bound to be questions from
> security researchers regarding this.
>
> Nikita
>

I think it might also be useful to make a distinction based on
allowed_classes here. I think there is a reasonable expectation that if
allowed_classes is empty (and as such any object injection vectors are
excluded), unserialize() should be safe. The vast majority of unserialize()
bugs are variants on the theme of __wakeup() and
Serializable::unserialize(). But there are also bugs that apply with
allowed_classes=>[], for example https://bugs.php.net/bug.php?id=75054.

Nikita

--001a11449eb41ec70d0556782503--