Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100209 Return-Path: <zeev@zend.com> Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 85581 invoked from network); 14 Aug 2017 11:04:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Aug 2017 11:04:23 -0000 Authentication-Results: pb1.pair.com header.from=zeev@zend.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=zeev@zend.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain zend.com from 104.47.40.133 cause and error) X-PHP-List-Original-Sender: zeev@zend.com X-Host-Fingerprint: 104.47.40.133 mail-co1nam03on0133.outbound.protection.outlook.com Received: from [104.47.40.133] ([104.47.40.133:37688] helo=NAM03-CO1-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C7/95-34801-3B381995 for <internals@lists.php.net>; Mon, 14 Aug 2017 07:04:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RWSoftware.onmicrosoft.com; s=selector1-zend-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=smaHJGtgH5ei/UHWssn3G+aevSFnEM42X/plY4AgmMI=; b=0fN8ih+1BB7oeLc68l4jSXvlUtTQSDoDDbvU0GNQpzlfL/1VZi8FWqzG7+txnEdOKxF3sEpxMkR+ryhVAFpoY1b1tQF+e35xBC7kowpVQAVNksAqnM8fpZy46G2rZbzP/E6xSJKCH9wo3B1ITQEebKs8Sn5WHrIrQ25aKQpSsMI= Received: from BY2PR02MB298.namprd02.prod.outlook.com (10.141.140.21) by BY2PR02MB298.namprd02.prod.outlook.com (10.141.140.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Mon, 14 Aug 2017 11:04:14 +0000 Received: from BY2PR02MB298.namprd02.prod.outlook.com ([10.141.140.21]) by BY2PR02MB298.namprd02.prod.outlook.com ([10.141.140.21]) with mapi id 15.01.1320.022; Mon, 14 Aug 2017 11:04:14 +0000 To: Nikita Popov <nikita.ppv@gmail.com> CC: PHP internals <internals@lists.php.net> Thread-Topic: [PHP-DEV] Re: WDDX serialization and security Thread-Index: AQHTFEYF3+MuuBSdm0KwpRpclngkzqKCb+kAgAFAdjA= Date: Mon, 14 Aug 2017 11:04:14 +0000 Message-ID: <BY2PR02MB298BD40845853A3A5177B46AC8C0@BY2PR02MB298.namprd02.prod.outlook.com> References: <CAF+90c8WVZAT=kaVqEB-V+kCJdtBV47dMv+uUP2hiecFRPEx0Q@mail.gmail.com> <4ca2906e-4117-9773-d2bd-c17e27425a90@gmx.de> <CAF+90c8AT-xwWGdVyMTSSAUNPVSF1qv9Sga9z68f=0Zm=457Cw@mail.gmail.com> In-Reply-To: <CAF+90c8AT-xwWGdVyMTSSAUNPVSF1qv9Sga9z68f=0Zm=457Cw@mail.gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=zeev@zend.com; x-originating-ip: [212.199.177.67] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BY2PR02MB298;6:7UdpDXxmFv0fVcykVtQq7775HdDl+vMvUA9HDROrzrvrfj5VvrtrP75n6lBgTNYXB/NkkUnwTaSobwHkg4ypJ1iIN67BB3zopGweD0t81rzi6GrQV42l5hJCWXHvAvszOFE1K+YTlJVWuFBWpDux4tHfB17L/qfQOJw8Va3uGeI1f/GHjP1RalwprXS5wNtsKXQocDhO2vM+Qs8rZha5v8Tp7WfGltloDnxWjMiAUJ7tgQfT+n0cEiDNyAXNS5bFqiMzmWPEKaW7jmcRkWgegiZbZEY/7v/eDgzu+Ez/VcDh6nH/rHshOKHo47KmavZeLFCthzAWnhBDC8Fx+5WtuA==;5:RPjCTdyot4OrODlgtghZyigPy5o+GNyIerM/KyMjrmKQVBlu+TNpZvtOUPkn1CJTmaeuJd3kSsX3xKfdHkmAroffOAnK8ey5hXW6Sra1iN3nTobWUZWAg8Op/0RFmUX2UttScC4QLOcvoBgMUqInqA==;24:pQC4zaxQYfYbuLZpLDh0xRSyVykatRNCQXlSHTj15ded8TDekWyPsAVn1YkUzsxrK1TiwTRzrZekpzPnltKH8/SkPdjw4Mk8qMKUfpIcMpk=;7:VnITZJzMDlXJ+TcXu9gghB9uFR+YConxBFlXBX0hGJtw9ASAyzKAORtoigt/+o7mQSEvSEwogQXNKX9MAobDkKLW0H34gwEDD9j9XGE90TJqjCWK0S3rjJ9YfgkeJg5aRYMIvRcY9m/KobDmfi8tHiI3EgJdKMNb6/liCQxaArfXSxy2Y1DL2obANVDnJcCHLdKFURe0o1IHkV75EMgQCGMKl8IFsyOKF41GCjg9Dfc= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: ef8f4e19-f8d7-4ab9-04d8-08d4e3043353 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BY2PR02MB298; x-ms-traffictypediagnostic: BY2PR02MB298: x-exchange-antispam-report-test: UriScan:(26323138287068)(192374486261705); x-microsoft-antispam-prvs: <BY2PR02MB2981451E79E5B759E5665C8AC8C0@BY2PR02MB298.namprd02.prod.outlook.com> x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123562025)(20161123558100)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BY2PR02MB298;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2PR02MB298; x-forefront-prvs: 039975700A x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(39830400002)(13464003)(24454002)(377454003)(189002)(199003)(3280700002)(25786009)(2906002)(10710500007)(3660700001)(6246003)(9686003)(4326008)(53936002)(6306002)(110136004)(189998001)(7110500001)(97736004)(39060400002)(2900100001)(50986999)(33656002)(478600001)(55016002)(99286003)(105586002)(106356001)(76176999)(54356999)(16799955002)(68736007)(81166006)(81156014)(8676002)(5660300001)(229853002)(6506006)(101416001)(77096006)(66066001)(74316002)(15650500001)(2420400007)(102836003)(966005)(6116002)(3846002)(6916009)(7696004)(53546010)(6436002)(305945005)(86362001)(2950100002)(8936002)(7736002)(14454004);DIR:OUT;SFP:1102;SCL:1;SRVR:BY2PR02MB298;H:BY2PR02MB298.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: zend.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: zend.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2017 11:04:14.4816 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 32210298-c08b-4829-8097-6b12c025a892 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR02MB298 Subject: RE: [PHP-DEV] Re: WDDX serialization and security From: zeev@zend.com (Zeev Suraski) DQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogTmlraXRhIFBvcG92IFtt YWlsdG86bmlraXRhLnBwdkBnbWFpbC5jb21dDQo+IFNlbnQ6IFN1bmRheSwgQXVndXN0IDEzLCAy MDE3IDY6NTMgUE0NCj4gVG86IENocmlzdG9waCBNLiBCZWNrZXIgPGNtYmVja2VyNjlAZ214LmRl Pg0KPiBDYzogUEhQIGludGVybmFscyA8aW50ZXJuYWxzQGxpc3RzLnBocC5uZXQ+DQo+IFN1Ympl Y3Q6IFtQSFAtREVWXSBSZTogV0REWCBzZXJpYWxpemF0aW9uIGFuZCBzZWN1cml0eQ0KPiANCj4g T24gU3VuLCBBdWcgMTMsIDIwMTcgYXQgNTowOCBQTSwgQ2hyaXN0b3BoIE0uIEJlY2tlciA8Y21i ZWNrZXI2OUBnbXguZGU+DQo+IHdyb3RlOg0KPiANCj4gPiBPbiAxMS4wOC4yMDE3IGF0IDE1OjE1 LCBOaWtpdGEgUG9wb3Ygd3JvdGU6DQo+ID4NCj4gPiA+IFNhbWUgcXVlc3Rpb24gaGVyZSBhcyB3 aXRoIHVuc2VyaWFsaXplKCkuDQo+ID4gPiBodHRwczovL2J1Z3MucGhwLm5ldC9idWcucGhwP2lk PTc1MDA3IGhhcyByZWNlbnRseSBiZWVuIGNsYXNzaWZpZWQNCj4gPiA+IGFzDQo+ID4gbm90IGEN Cj4gPiA+IHNlY3VyaXR5IGJ1ZywgYmVjYXVzZSBXRERYIHNob3VsZCBub3QgYmUgZmVkIHVudHJ1 c3RlZCBkYXRhLg0KPiA+ID4NCj4gPiA+IFRvIHByb3ZpZGUgc29tZSBjb250ZXh0IGhlcmUsIG91 ciBXRERYIGltcGxlbWVudGF0aW9uIGlzIGdlbmVyYWxseQ0KPiA+ID4gdnVsbmVyYWJsZSB0byBv YmplY3QgaW5qZWN0aW9uIChpdCBpcyBwb3NzaWJsZSB0byBjcmVhdGUgYXJiaXRyYXJ5DQo+ID4g b2JqZWN0cywNCj4gPiA+IHJlc3VsdGluZyBpbiBleHBsb2l0YWJsZSBjYWxscyB0byBfX3dha2V1 cCwgX19kZXN0cnVjdCwgX190b1N0cmluZw0KPiA+ID4gYW5kIHNpbWlsYXIpLCBidXQgaXQgZG9l cyBub3QgaGF2ZSB0aGUgb3RoZXIgc2VjdXJpdHkgaXNzdWVzIG9mDQo+ID4gPiB1bnNlcmlhbGl6 ZQ0KPiA+IChpbg0KPiA+ID4gcGFydGljdWxhciwgbm8gcmVmZXJlbmNlcykuDQo+ID4gPg0KPiA+ ID4gTXkgcXVlc3Rpb24gaXMgbm93OiBXaGF0J3MgdGhlIHBvaW50IG9mIGhhdmluZyB0aGlzIGZ1 bmN0aW9uYWxpdHkgYXQgYWxsPw0KPiA+ID4gQXMgZmFyIGFzIEkgY2FuIGRpc2Nlcm4sIFdERFgg c2VlbXMgdG8gYmUgdGFyZ2V0ZWQgYXMgYSBkYXRhDQo+ID4gPiBpbnRlcmNoYW5nZSBmb3JtYXQg KHNvbWV0aGluZyB3aGVyZSB0cnVzdCBnZW5lcmFsbHkgY2Fubm90IGJlDQo+ID4gPiBhc3N1bWVk KSwgYnV0IHRoZSB3YXkNCj4gPiB3ZQ0KPiA+ID4gaW1wbGVtZW50IGl0ICh3aXRoIHN1cHBvcnQg Zm9yIG9iamVjdCBjcmVhdGlvbiksIGl0IGNhbm5vdCBiZSB1c2VkDQo+ID4gPiBhcw0KPiA+IHN1 Y2guDQo+ID4NCj4gPiBJTUhPLCBpbXBsZW1lbnRpbmcgc3VwcG9ydCBmb3Igb2JqZWN0cyBoYXMg YmVlbiBhIG1vc3QgdW5mb3J0dW5hdGUNCj4gPiBkZWNpc2lvbiwgYmVjYXVzZSBXRERYIHdhcyBp bmRlZWQgbm90IGRlc2lnbmVkIGZvciB0aGF0DQo+ID4gKDxodHRwOi8veG1sLmNvdmVycGFnZXMu b3JnL3dkZHgwMDkwLWR0ZC0xOTk4MDkyOC50eHQ+KS4gIENvbnNpZGVyaW5nDQo+ID4gaHR0cHM6 Ly9idWdzLnBocC5uZXQvYnVnLnBocD9pZD03NTA0NCBtYWtlcyB0aGUgc2l0dWF0aW9uIHdvcnNl Lg0KPiA+DQo+ID4gPiBBcyBzdWNoLCB0aGVzZSBmdW5jdGlvbnMgc2VlbSBwcmV0dHkgdXNlbGVz cyByaWdodCBub3cuIFlvdSBjYW4ndA0KPiA+ID4gdXNlDQo+ID4gdGhlbQ0KPiA+ID4gZm9yIGRh dGEgaW50ZXJjaGFuZ2UgZHVlIHRvIHNlY3VyaXR5IGlzc3VlcywgYW5kIGl0J3Mgbm90IHRoZQ0K PiA+IHNlcmlhbGl6YXRpb24NCj4gPiA+IGZ1bmN0aW9uYWxpdHkgeW91IHdvdWxkIHVzZSBmb3Ig bG9jYWwgc3RvcmFnZSAoZm9yIGFsbCBpdCdzIGlzc3VlcywNCj4gPiA+IHNlcmlhbGl6ZSgpIGlz IHN0aWxsIGEgbXVjaCBiZXR0ZXIgY2hvaWNlIGZvciB0aGF0IHB1cnBvc2UuKQ0KPiA+DQo+ID4g QUNLLg0KPiA+DQo+ID4gPiBJJ20gd29uZGVyaW5nIGlmIGl0IG1pZ2h0IGJlIHRpbWUgdG8gcmVt b3ZlIChpLmUuIGRlcHJlY2F0ZSBhbmQgbW92ZQ0KPiA+ID4gdG8NCj4gPiA+IFBFQ0wpIHRoZSB3 ZGR4IGV4dGVuc2lvbj8NCj4gPg0KPiA+IEhtbSwgdGhhdCB3b3VsZCBsZWF2ZSBhIHByZXR0eSB1 c2VsZXNzIGV4dGVuc2lvbiBpbiBQRUNMLiAgQW4NCj4gPiBhbHRlcm5hdGl2ZSBtaWdodCBiZSB0 byByZW1vdmUgc3VwcG9ydCBmb3Igb2JqZWN0cyBhbmQgdGhlIHdkZHgNCj4gPiBzZXNzaW9uIHNl cmlhbGl6YXRpb24gaGFuZGxlci4gIFRoaXMgbWlnaHQgZXZlbiBiZSBkb25lIGFzIGJ1ZyBmaXgg aWYNCj4gPiBhIHJlc3BlY3RpdmUgaW5pIG9wdGlvbiB3b3VsZCBiZSBpbnRyb2R1Y2VkLiAgV2Ug Y291bGQgc3RpbGwgbW92ZSB0aGUNCj4gPiBleHRlbnNpb24gdG8gUEVDTCBhZnRlcndhcmRzLg0K PiA+DQo+IA0KPiBJJ20gb25seSBzdWdnZXN0aW5nIGEgbW92ZSB0byBQRUNMIGJlY2F1c2UgdGhh dCBzZWVtcyB0byBiZSBvdXIgc3RhbmRhcmQNCj4gcHJvY2VkdXJlIHdoZW4gcmVtb3ZpbmcgZXh0 ZW5zaW9ucy4NCj4gDQo+IEdpdmVuIHRoYXQgV0REWCBhcyBhIGRhdGEgaW50ZXJjaGFuZ2UgZm9y bWF0IHNlZW1zIHByZXR0eSBtdWNoIGRlYWQsIEkNCj4gZG9uJ3QgdGhpbmsgaXQncyB3b3J0aCB0 cnlpbmcgdG8gImZpeCIgaXQgaW4gc29tZSB3YXksIGVzcGVjaWFsbHkgYSB3YXkgdGhhdCBicmVh a3MNCj4gYmFja3dhcmRzIGNvbXBhdGliaWxpdHkuIEV2ZW4gd2l0aG91dCB0aGUgYWRkaXRpb25h bCBzZWN1cml0eSBjb25zaWRlcmF0aW9ucywgSQ0KPiB3b3VsZCBzYXkgaXQncyBsb25nIG92ZXJk dWUgdG8gdW5idW5kbGUgdGhpcyBleHRlbnNpb24uDQoNCkkgd291bGQgbGVhbiB0b3dhcmRzIGRv aW5nIGJvdGg6DQoxLiBNb3ZlIGl0IHRvIFBFQ0wgYXMgeW91IHN1Z2dlc3QgLSByZWdhcmRsZXNz IG9mIHRoZSBzZWN1cml0eSBlbGVtZW50LCBhcyB5b3Ugc2F5LCBpdCdzIGxvbmcgb3ZlcmR1ZSBm b3IgdW5idW5kbGluZy4NCjIuIERpc2FibGUgdGhlIG9iamVjdCBzdXBwb3J0IGluIGl0IGFzIENo cmlzdG9waCBhbmQgU3RhcyBzdWdnZXN0LCBzbyB0aGF0IGl0J3Mgbm90IGNvbXBsZXRlbHkgdXNl bGVzcyAoaS5lLiBpbmhlcmVudGx5IGluc2VjdXJlKSBpbiBQRUNMLiAgQWRtaXR0ZWRseSBJIGhh dmVuJ3QgbG9va2VkIGF0IHRoZSBjb2RlIGJ1dCBJIGltYWdpbmUgdGhhdCBjYW4ndCBiZSB0b28g Y29tcGxleC4uPw0KDQpHaXZlbiB0aGUgc2VjdXJpdHkgaW1wbGljYXRpb25zICh0aGUgcG9zaXRp dmUgb25lcywgdGhhdCBpcyksIEkgd291bGQgc2VyaW91c2x5IGNvbnNpZGVyIGRvaW5nIHRoYXQg Zm9yIDcuMiBkZXNwaXRlIHRoZSB2ZXJ5IGxhdGUgcG9pbnQgaW4gdGltZS4NCg0KWmVldg0K