Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100222
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88625 invoked from network); 15 Aug 2017 21:56:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Aug 2017 21:56:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.15.18 mout.gmx.net  
Received: from [212.227.15.18] ([212.227.15.18:58668] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 23/ED-34801-D1E63995 for <internals@lists.php.net>; Tue, 15 Aug 2017 17:56:45 -0400
Received: from [192.168.2.123] ([79.243.116.167]) by mail.gmx.com (mrgmx001
 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MO77c-1deS2H1zfw-005VX6; Tue, 15
 Aug 2017 23:56:41 +0200
To: Nikita Popov <nikita.ppv@gmail.com>,
 Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
 <CAF+90c_RUYwFgXK6rYvspvm1w+MUaeimRVzMJzHyWVj_t3oYXA@mail.gmail.com>
 <CAF+90c-PumhFT0spXrLfEDZ-R3pY+HRAnuX+2m_aOu=RJ6qOJQ@mail.gmail.com>
Message-ID: <33a61a5b-11a5-690e-d98c-86b101376be5@gmx.de>
Date: Tue, 15 Aug 2017 23:56:44 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAF+90c-PumhFT0spXrLfEDZ-R3pY+HRAnuX+2m_aOu=RJ6qOJQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:1IYbIBsGl1qyc7c2O/NxVTFKeuJ0cW9jUDy1B60WLX6araKZetr
 ENhXqJV1zsPWSHpfYMxlvuJczTGeWg8qv+4QNfjqL7WEDqCq/YCG+Sjne2AZnWXOU1efYKG
 BWNayIq9XhhYvq3WN2rZWmCWdWFEpaEyI7uufuEeqX31WsYKJFVkDe3OKP5Ox3rmx8Cle+b
 dki+N78y1+wA0PRFlawdg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:HH9/KKZBROo=:EyYU9uGAoAuerOrqctS1Ti
 cOSP4OrGHh2F9AI5XxrGtfCHO10h+58GSj5+CxV1XqjzdSjJdMdANog9ZPfQ29RARSsCspKqZ
 QkOB6hZvMDdQYUPLtlHDNM/nnm9qcoHopAJqZB7Bfhi9BAskZa0Qk9ahnRf2aeHSA/FyncJfy
 NLCbXDCIIY2VQS3QyeOk13d9FD65/7VAKkqp7jWlmYH4roVnnxAUePI947DhvbKCvBg4W2EpP
 vVteg/asB6zLJh9Qef8PN6n0zGP9EWAgIGYAg5k8L9PMR+kxIGSqDe+1G+35pcdfMvTbRgGxf
 GZQpR0O6qGyj7mXrOCMTZ7fHFDrgm+BzX8sLUCUq0JKwgztCJox0n0wCDjem2sezT2t5hWN3w
 Hcfinrh8cm5etT0cbgb37L/3p6Yh1zGwloUBa7eVfs344SNGBw5qDo59AcxtlGK4ncTdD8pDY
 +fxA4f3E9gqWJXxGZokNQEM5z7Q7q9ASvT/Q3NYGosPVkUKv5Jqd9CBsPQCehHh4ko8QjaEJp
 ipzaz47dBnBxZ0zL0qbnAQ2sYSsFH3UlqYAnsv6FyPHd0YMFeNrmlEsOeSr5oCxpyN9Kldn2p
 JRSiGk+324FxviHAsikLYDzJaqdKKl0kj6cKW25hrbOdMI3/fl5aifKdM6TJ1CUk3lX2yd1dN
 3SSsg3PHL8vXwEXTB+pgUnC/xrFPaF6zOJErfZXK0OnHtTIeNxhK+bTcSHYuJ1iQzkQgR67Kv
 tecko0TKjdz+rb/RldDn41S9fK07Ro9Op4/zwPZeRMNclsqwOQeLQLkinfRwAvJnBeeufKOIp
 SQ3ipd0DakQrj/Sl0TjVR9dQzpHQ6TYSLQAbCZv/8BM6oPV2wI=
Subject: Re: [PHP-DEV] Unserialize security policy
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 11.08.2017 at 12:55, Nikita Popov wrote:

> I think it might also be useful to make a distinction based on
> allowed_classes here. I think there is a reasonable expectation that if
> allowed_classes is empty (and as such any object injection vectors are
> excluded), unserialize() should be safe. The vast majority of unserialize()
> bugs are variants on the theme of __wakeup() and
> Serializable::unserialize(). But there are also bugs that apply with
> allowed_classes=>[], for example https://bugs.php.net/bug.php?id=75054.

What about references?  Consider, for instance, the following code:

    <?php

    $_POST['untrusted_input'] = 'a:1:{i:0;a:1:{i:0;R:2;}}';

    function flatten($array)
    {
        if (is_array($array)) {
            $result = [];
            foreach ($array as $element) {
                $result = array_merge($result, flatten($element));
            }
            return $result;
        }
        return [$array];
    }

    $unserializedInput = unserialize($_POST['untrusted_input'], []);
    flatten($unserializedInput);

Of course, the `flatten()` function is naive, but it is fine for any
"normal" input.  However, this very code has a DOS issue.  Do we really
want to say that it is the developers responsibility to check for
infinite recursion for code that uses the result of `unserialize(…, [])`
in this way?

It appears to me that `unserialize()` cannot ever be safe, unless class
instantiation *and* references can be excluded.  (Neither of these
"features" are available in JSON or (supposed to be) in WDDX, by the
way.)  While the former is possible, the latter is not (yet), so in my
humble opinion we should not try to claim that `unserialize(…, [])` is
safe, at least unless there is a mechanism to disallow unserializing of
references, too.

-- 
Christoph M. Becker