Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100213 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44113 invoked from network); 15 Aug 2017 09:29:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2017 09:29:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.51 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.214.51 mail-it0-f51.google.com Received: from [209.85.214.51] ([209.85.214.51:36945] helo=mail-it0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DE/49-34801-21FB2995 for ; Tue, 15 Aug 2017 05:29:54 -0400 Received: by mail-it0-f51.google.com with SMTP id 76so2479755ith.0 for ; Tue, 15 Aug 2017 02:29:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FpEvppey/ODqlRHA6qpT/0pYGx+0A8qU8qZvTkqC3Dw=; b=HSQlWz9+kww5DX8zmjfG7ORUW/gfir56WERgwItCmzbnhbYHeIENCZXA4BKt/7yWtb 6Cv/mZDFMEfKMBoKFa7y2/jFm1XxE6Z1llr1k5/qJCRCq0qsXnYMGTL2Rw8L4fhxBDDn 56WvU0MS/qKtnIO+T29FQL12csLO/EI612P45uhjxv3l2BNkQhu6NiJrnukhXRlSO2Ie S+5/sq6I5Dvu59YxSSoMYmTEyFD0y9Bi/NDVhQR4hWvPrelvI6t/IrRGgVPDhHMbaoId EzC4Zx2iRjIXUADySYGUYhqTZHhcY6+6y5/SvUfbvjDoZehX3/C3HDuikG3lDZXX+guT s4yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FpEvppey/ODqlRHA6qpT/0pYGx+0A8qU8qZvTkqC3Dw=; b=Ek4Z5cHkR1r009vxqV1KYT4BvxfkGizi4ABvwLxxoMX5+K5UWWrpSGq+RyzpoLkETv aYPB8QjkxRIKVA24SZAYurSeUWmxo+trF51YhvLvWN/mbVytQKPGklMe/iuQKV+2SVDj 1FZwGaYG+ulCUlelkx2Rj8/3rk9n1R8QdRFSBeMjIGq6f1shlF/Wdv+mgN9boq3O1cL8 KjDtS+MAGFmnf43C+Z0XCorxbedSzp8PvpdjZAfuxKoKZaJbPCDhtMWfSEY2/nZ9VuWU 1SBUoClV75FXsrzw0jtT4hfD25HqF21kTo6TEPTB9ssjoRpWAnoeo/UTz/PMEXKMLW80 3YCw== X-Gm-Message-State: AHYfb5h4LZSK2WEpcuj1FPo+fvZPjEGsevqzomRUsR1gS87s8Z8vMl5H NacDvHRIWKi1/ekrmlD3mQ6LV+Bvrg== X-Received: by 10.36.228.134 with SMTP id o128mr1340890ith.89.1502789391005; Tue, 15 Aug 2017 02:29:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.13.3 with HTTP; Tue, 15 Aug 2017 02:29:50 -0700 (PDT) In-Reply-To: References: Date: Tue, 15 Aug 2017 11:29:50 +0200 Message-ID: To: Stanislav Malyshev Cc: PHP internals Content-Type: multipart/alternative; boundary="94eb2c111d12d2bbe80556c76b7c" Subject: Re: [PHP-DEV] Unserialize security policy From: nikita.ppv@gmail.com (Nikita Popov) --94eb2c111d12d2bbe80556c76b7c Content-Type: text/plain; charset="UTF-8" On Fri, Aug 11, 2017 at 12:55 PM, Nikita Popov wrote: > On Thu, Aug 10, 2017 at 10:49 AM, Nikita Popov > wrote: > >> On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev >> wrote: >> >>> Hi! >>> >>> > https://bugs.php.net/bug.php?id=75006 has been marked as a >>> non-security >>> > bug, with the justification that unserialize() should not be fed >>> untrusted >>> > input. While we do document that unserialize() shouldn't be used on >>> > untrusted input, we have always treated these as security bugs in the >>> past. >>> >>> Not always, but sometimes we did. I think we should stop doing it, as to >>> not validate the idea that unserialize can safely be used with untrusted >>> data (it can't, and it doesn't look likely that it ever will be, at >>> least not without comprehensive rewrite and possibly removing references >>> support, which is not likely to happen). >>> >>> If anybody strongly feels that this is wrong, we can make an RFC about >>> it, but given the current state of unserialize(), I can not say we can >>> support such usage scenario in the current state of unserialize() code, >>> and would like to hear arguments to the contrary. >>> >>> If somebody wants to do something about it, please feel welcome, we have >>> a number of open unserialize bugs right now (if you want to work on them >>> and don't have access to private bugs and you believe you should - >>> please ask on security@ list). >>> >> >> Thanks everyone for the clarification. I agree that this is the right >> decision. I think it would be good to update the security policy to >> explicitly mention unserialize(), as this is probably our largest source of >> security bug reports right now, so there's bound to be questions from >> security researchers regarding this. >> >> Nikita >> > > I think it might also be useful to make a distinction based on > allowed_classes here. I think there is a reasonable expectation that if > allowed_classes is empty (and as such any object injection vectors are > excluded), unserialize() should be safe. The vast majority of unserialize() > bugs are variants on the theme of __wakeup() and > Serializable::unserialize(). But there are also bugs that apply with > allowed_classes=>[], for example https://bugs.php.net/bug.php?id=75054. > > Nikita > Here's some external perspective on unserialize() security by Sean Heelan: https://sean.heelan.io/2017/08/12/fuzzing-phps-unserialize-function/ The two main points are: 1. While it's true that if you're using unserialize() on untrusted input you are most likely going to be vulnerable due to object injection, it may be quite hard for an attacker to exploit this for closed source applications, because it requires knowledge about specific classes defined by the application. On the other hand, bugs in unserialize() itself can be exploited much more reliably, without knowing any specific details of the application. 2. We should be able to precipitate most unserialize() bugs by regularly fuzzing it ourselves. The setup for doing so is also provided. Nikita --94eb2c111d12d2bbe80556c76b7c--