Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100225
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 887 invoked from network); 16 Aug 2017 02:02:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Aug 2017 02:02:45 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.177 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.177 mail-qk0-f177.google.com  
Received: from [209.85.220.177] ([209.85.220.177:37030] helo=mail-qk0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 50/1F-34801-4C7A3995 for <internals@lists.php.net>; Tue, 15 Aug 2017 22:02:44 -0400
Received: by mail-qk0-f177.google.com with SMTP id z18so13363050qka.4
        for <internals@lists.php.net>; Tue, 15 Aug 2017 19:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=7vZu5JFWewLiRXgacs8PCsGs5H9oJkPEzP25YejRUts=;
        b=juJraXyLFJmKeDwJk2YkNmiRvMm3SfeXGyLofPLCiI13KWcYDe0W/L1yA255RZNrcf
         VKlOJlJvRHTx+wJLwI3MBUKTs9bxr48RaraLP2nT5M8QU+UMmaSd4k5NSSFc4HT9oF5C
         3BAvKiBoDqdEuIweNlBpZa3spAoSg9nvq1CYiBWzB4IxXQeJJFjLtRpQWk8YINpFTiWO
         zd3rn8HbOj8wANmrnl01719RdGgfbuSuT69/ARs/xzOoAoFZjPQus7KU0DIkJcder8RX
         2K5fRfxaZtaHDTd25d01pd/W5K1q4YgwV6w1iCJEqUqrYyhLxzo3N2vogk2csJegURcQ
         zRsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=7vZu5JFWewLiRXgacs8PCsGs5H9oJkPEzP25YejRUts=;
        b=AK1k4uVbDt9wTzZdhT9SrgOI4dbzNF/0zZcgWjz/v+WCmDPywAeKXpNd6zl8XzA/uG
         TlYsG64rIklgi1j6Ax0bV/ILrjgy51KPyZOTlaWGUDTMjBVutyk5IFgoS59l79fPTAQo
         J2cTQbul/JGFuk7ZpdqGF4G75aEygJctDZMjvpdXSymuC6A9+BpIyCmHAbYPPFV0LIdB
         6cE8+DPbM9f5YvAyrQ2esNRPNlx6f+/UwJHfKmg6uX0sGqDjqVIlcjhAaBTVloFWihYG
         5d8/kJI1j7MFirTotk/YxMnsA+Sq+QHZLEDvB5rRGaWVhbpBc41IUGl4WKQTq0zMcvRC
         njZA==
X-Gm-Message-State: AHYfb5gFWv2EWJU8dyl9OCS6kp+/WKj2L5XknfWqUWYS7JXPvvIIC+4P
	0JbBCEznMU8I2wBjCAU=
X-Received: by 10.55.75.17 with SMTP id y17mr154876qka.27.1502848962261;
        Tue, 15 Aug 2017 19:02:42 -0700 (PDT)
Received: from Stas-Pro-2016.local ([207.134.107.253])
        by smtp.gmail.com with ESMTPSA id x17sm7673349qta.47.2017.08.15.19.02.41
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 15 Aug 2017 19:02:41 -0700 (PDT)
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
 <CAF+90c_RUYwFgXK6rYvspvm1w+MUaeimRVzMJzHyWVj_t3oYXA@mail.gmail.com>
 <CAF+90c-PumhFT0spXrLfEDZ-R3pY+HRAnuX+2m_aOu=RJ6qOJQ@mail.gmail.com>
 <CAF+90c_wia6tzOTY3RV+X=BWOfmyBjO-JpTN_omX++8r9ikLOg@mail.gmail.com>
Message-ID: <5d80894b-966f-e63c-4000-3fc0c8d2161b@gmail.com>
Date: Tue, 15 Aug 2017 22:02:37 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
 Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAF+90c_wia6tzOTY3RV+X=BWOfmyBjO-JpTN_omX++8r9ikLOg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Unserialize security policy
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> The two main points are:
> 1. While it's true that if you're using unserialize() on untrusted input
> you are most likely going to be vulnerable due to object injection, it may
> be quite hard for an attacker to exploit this for closed source

Objects are not the problem (unless it's internal objects, in which case
the extension/code authors should have known better, but frequently
don't). References are huge problem, there are too many scenarios where
references can be made completely broken with bad serializing data.

> 2. We should be able to precipitate most unserialize() bugs by regularly
> fuzzing it ourselves. The setup for doing so is also provided.

That assumes that problems in unserialize() stem from some accidental
errors like off-by-one here and there. I don't think it's the case - I
think that given references support, it may not be possible to make it
robust against every hostile input without completely rewriting the
whole code, and even then I'm not sure it's possible. References can
create links between unrelated data items, which may lead to very subtle
problem with semantics inside objects, etc. which current code is just
not prepared to handle.

-- 
Stas Malyshev
smalyshev@gmail.com