Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100223
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90988 invoked from network); 15 Aug 2017 22:32:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Aug 2017 22:32:17 -0000
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.15.18 mout.gmx.net  
Received: from [212.227.15.18] ([212.227.15.18:65278] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B8/3E-34801-07673995 for <internals@lists.php.net>; Tue, 15 Aug 2017 18:32:16 -0400
Received: from [192.168.2.123] ([79.243.116.167]) by mail.gmx.com (mrgmx002
 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LjqLx-1dAccP242D-00buDA; Wed, 16
 Aug 2017 00:32:12 +0200
To: Nikita Popov <nikita.ppv@gmail.com>,
 Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
 <CAF+90c_RUYwFgXK6rYvspvm1w+MUaeimRVzMJzHyWVj_t3oYXA@mail.gmail.com>
 <CAF+90c-PumhFT0spXrLfEDZ-R3pY+HRAnuX+2m_aOu=RJ6qOJQ@mail.gmail.com>
 <33a61a5b-11a5-690e-d98c-86b101376be5@gmx.de>
Message-ID: <8fc0f719-b464-9eaf-f27d-3183c8200ddd@gmx.de>
Date: Wed, 16 Aug 2017 00:32:15 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <33a61a5b-11a5-690e-d98c-86b101376be5@gmx.de>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:l16XKIQgBxuNfvCz+t8bCMC6WQ4Bq5FR0PLf7uaNrApC+YxnErI
 imK6AUiBFiDb93lnwQKpyTcNlJmY9Jz0gf/fPoc6aqAlSaX0znqbdw/+haq9s8vSGFx79ZM
 Krs0ua+ROwCR4PspqWoui/AWOtpiuOrahiPoA636UDt3ztMAUp5284qKzMrmmKrNgklys81
 QO9TVVh5t115Le+bi2ZkQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:PwLgmkmMrq4=:+riChHIPfUD/RyGtKI3D0f
 66pwpCPNPfal2Z1sFFsCgNkZiJKrkuIEABa2FRO6BltCVb5Z76kkm+c/7cKKrXkA419mJ7K6Z
 yop9txVZE9EUvfRgype8/dO10mtbkmb9RbjBuW8w/d074C82Rqimnz4l0AApFBWkObGVBQ9Zl
 MseX3r6+G+CByRcW27i+2EvtMsw5z+02oscKhgmMwrmkUCN9vcA7XY3D6ViGeRAM8Tju5ylkE
 6N+1leoqfcLZMLqbCap1ozNAxO/78MNr+wkHYheDuCFw5DTc0DXnrs1BElzvBh7V5N5t0YjOr
 SZl7lsGu7myxd5uM50tfLOzoNp6b2bGF8QQ4717MVeYtLROdtspuvOTIEfkuAuQ1F3iWht+tT
 hd4owOtCJJktrsclbDFc7dn5rb4bB6iGWg46NCYzwLBSWKPItMuSbfNDG4Iss6m7l9jcpRzBr
 kgk/dE6sfqdMhlELeLKe5RzdXoLqr+dXnxSiiG/0sXQbep1t1Yo3cEAYAClShbgxybsvCVDFN
 9tfIsuYJL8IzFn2EOtAEDSosISi5joWjZaQ/2JqKgi1inXCEVY/301fkiwjk6fx2epZnb1Cgi
 hVerXb4PA3chhSjibg7ALqa8FtfcAc+8pt3mPqEKqjRU29u5Uo8D0cfisJuInQ/rpWzuyxAAU
 7YC7YgP660JfDu4zoZL+uYjUSssJah1haDj452wx5f0NPliRmXHp/Gxnc9zwEtuLggz8z9n7s
 VKfS5hmZZxW8RkJ+ie5lfh+i7frD7lYsVVoULVcyBwZ7CbNznmtOxc8FzpFKFv8rlAVs2ObrG
 7LPFNUVb2SDM3f7HK2GkY9ogNjmnB/lOcQtJOjc3BWOZa3KKJg=
Subject: Re: [PHP-DEV] Unserialize security policy
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 15.08.2017 at 23:56, Christoph M. Becker wrote:

> What about references?  Consider, for instance, the following code:
> 
>     <?php
> 
>     $_POST['untrusted_input'] = 'a:1:{i:0;a:1:{i:0;R:2;}}';
> 
>     function flatten($array)
>     {
>         if (is_array($array)) {
>             $result = [];
>             foreach ($array as $element) {
>                 $result = array_merge($result, flatten($element));
>             }
>             return $result;
>         }
>         return [$array];
>     }
> 
>     $unserializedInput = unserialize($_POST['untrusted_input'], []);
>     flatten($unserializedInput);
> 
> Of course, the `flatten()` function is naive, but it is fine for any
> "normal" input.  However, this very code has a DOS issue.  Do we really
> want to say that it is the developers responsibility to check for
> infinite recursion for code that uses the result of `unserialize(…, [])`
> in this way?
> 
> It appears to me that `unserialize()` cannot ever be safe, unless class
> instantiation *and* references can be excluded.  (Neither of these
> "features" are available in JSON or (supposed to be) in WDDX, by the
> way.)  While the former is possible, the latter is not (yet), so in my
> humble opinion we should not try to claim that `unserialize(…, [])` is
> safe, at least unless there is a mechanism to disallow unserializing of
> references, too.

My apologies for not having read the documentation!  Actually, I meant

  unserialize(…, ['allowed_classes' => false])

instead of

  unserialize(…, [])

-- 
Christoph M. Becker