Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100880 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87817 invoked from network); 12 Oct 2017 15:53:33 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Oct 2017 15:53:33 -0000 Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain zend.com from 104.47.38.134 cause and error) X-PHP-List-Original-Sender: dmitry@zend.com X-Host-Fingerprint: 104.47.38.134 mail-bl2nam02on0134.outbound.protection.outlook.com Received: from [104.47.38.134] ([104.47.38.134:51717] helo=NAM02-BL2-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 53/09-49033-CFF8FD95 for ; Thu, 12 Oct 2017 11:53:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RWSoftware.onmicrosoft.com; s=selector1-zend-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KFhBOtKSYrgoBpr0ce/mXO9xwyOgldVnVGoe3pW+YQw=; b=jOwRq82UDOXXGr/sD1THHqayEJ3CRDjkVHe75hh+7W/ag2VyDMoTQXa3nWLvISIEVymghaZyvl6pufne1boNiwjmkw5C4LKL3RIZrhVQJRMeS2js0lqoDXUEH8q8Ji5wT6QUDnRj6bqAD3P6+XzuzgTvIyF8IY3cXNO7kXTZOGE= Received: from BN6PR02MB3234.namprd02.prod.outlook.com (10.161.152.32) by BN6PR02MB3234.namprd02.prod.outlook.com (10.161.152.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 12 Oct 2017 15:53:28 +0000 Received: from BN6PR02MB3234.namprd02.prod.outlook.com ([10.161.152.32]) by BN6PR02MB3234.namprd02.prod.outlook.com ([10.161.152.32]) with mapi id 15.20.0077.018; Thu, 12 Oct 2017 15:53:27 +0000 To: Nikita Popov CC: Dmitry Stogov , Stanislav Malyshev , Zeev Suraski , Xinchen Hui , Nikita Popov , "rasmus@lerdorf.com" , Sara Golemon , PHP internals list Thread-Topic: Fix for unserialise() "vulnerabilities" Thread-Index: AQHTQ3I+mWUtX7+w+kqx/QYu0zhQUA== Date: Thu, 12 Oct 2017 15:53:27 +0000 Message-ID: <5121480d-a9c3-4214-b280-a690bdf5f2b9@email.android.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=dmitry@zend.com; x-originating-ip: [213.21.45.232] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR02MB3234;6:usEDIJYSSxNJHYNzd0xUWKwqw7WdBy0haFVy9rR1XjHfeiZRpBoVQMBly9g6PKuojz5AZUGshNd5nm6DKfhy0d5zhGwNxPP8JkY/6wqQW9kSn8oGyfWYJ6nuE7KMqo0HIsmZT+SRFdZS3b5x+e1uBDqp2KitRDKMPqcCVpS4DZK9XZfjbhpVnP75zt+V/dnaHP/GiE5kpFlVRkX3ofdJC8ivXHCMJQqiJCB2VoBQXeoZ76YvJaMLdjsJErm39QA8Uv1hZWYePRBC9Zxd+upE3YbPZ6e39QFEZdgXCbNTK76IIA5zuJ8iLmbb829n91O8+iUOCkwZEDJzyZQluk2NLw==;5:50zti9F0K6BK7DKoRw80ItEDM3gbTGoIl1MqwhUBBN9NGdV/1X2s2xrWoeafCKlR5A8qcdxc4m1VS4PcEUYMKhieImIxsrlUeeIqCqC7UGT9pemNYmX+L+rtxVGsVq4H6TdRw/MVPC7RdrynCGfcNw==;24:MTcpJdBQKrlP8GbvE+JyUmKetpxUNvPfcBqk1CUgAJQzDu1j0S6ZpLXsYDf0D0RUcjI50K66OdGtn1qRWiAvGtZ2bFBvZEzYEeVKCz6eHUY=;7:N7+LSgu5mH0GfEqkpdVpZadvlZQw0wXjyUvljLiiISE8lVJMUX/PApUyGPORQh0zaYNxbJrjgsmueRgecDfY8f+XWWnG/Bt3EO1EBPe12TBchYv4hPq7xzRZgXbQKW9w2WDMa1XB4YMkUmZFL3i0V2JLtuNCuyFZMMRkI883T82vkg8T15HqQbWrblrSIsMLiNpMIlpRV3S3yh5fTp2sRj1TbbuaA8IHWtmsB3NRCY4= x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR; x-forefront-antispam-report: SFV:SKI;SCL:-1;SFV:NSPM;SFS:(10019020)(346002)(376002)(189002)(377454003)(199003)(24454002)(31696002)(53546010)(6246003)(86362001)(8936002)(31686004)(3280700002)(54906003)(4326008)(6436002)(54356999)(6916009)(14454004)(966005)(7736002)(50986999)(3660700001)(2906002)(39060400002)(6486002)(6506006)(305945005)(106356001)(3846002)(6512007)(8676002)(9686003)(6116002)(236005)(66066001)(33646002)(77096006)(105586002)(189998001)(6306002)(99286003)(97736004)(5660300001)(2900100001)(68736007)(102836003)(81166006)(316002)(606006)(478600001)(81156014)(25786009)(53936002)(54896002)(101416001)(229853002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR02MB3234;H:BN6PR02MB3234.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; x-ms-office365-filtering-correlation-id: cf2647e2-9af1-446e-48a7-08d5118960e7 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075);SRVR:BN6PR02MB3234; x-ms-traffictypediagnostic: BN6PR02MB3234: x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705)(192278398808882); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(100000703101)(100105400095)(10201501046)(6041248)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(20161123562025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN6PR02MB3234;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN6PR02MB3234; x-forefront-prvs: 04583CED1A received-spf: None (protection.outlook.com: zend.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_5121480da9c34214b280a690bdf5f2b9emailandroidcom_" MIME-Version: 1.0 X-OriginatorOrg: zend.com X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2017 15:53:27.5817 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 32210298-c08b-4829-8097-6b12c025a892 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR02MB3234 Subject: Re: Fix for unserialise() "vulnerabilities" From: dmitry@zend.com (Dmitry Stogov) --_000_5121480da9c34214b280a690bdf5f2b9emailandroidcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQoNCk9uIE9jdCAxMiwgMjAxNyA2OjAxIFBNLCBOaWtpdGEgUG9wb3YgPG5pa2l0YS5wcHZAZ21h aWwuY29tPiB3cm90ZToNCk9uIFRodSwgT2N0IDEyLCAyMDE3IGF0IDQ6MzggUE0sIERtaXRyeSBT dG9nb3YgPGRtaXRyeUB6ZW5kLmNvbTxtYWlsdG86ZG1pdHJ5QHplbmQuY29tPj4gd3JvdGU6DQoN CkhpLA0KDQoNCkkndmUgZm91bmQsIHRoYXQgYXQgbGVhc3QgaGFsZiBvZiB1bnNlcmlhbGlzZSgp IHNlY3VyaXR5IHByb2JsZW1zLCBvY2N1cnMgYmVjYXVzZSBvZiBub24tc3ltbWV0cmljIHNlcmlh bGl6ZS91bnNlcmlhbGl6ZSBhc3N1bXB0aW9uLCByZWdhcmRpbmcgcmVmZXJlbmNlcyBlbmNvZGVk IHdpdGggInIiLg0KDQoNCnNlcmlhbGl6ZSgpIGFzc3VtZXMgaXQncyBhbiBvYmplY3QuDQoNCg0K aHR0cHM6Ly9naXRodWIuY29tL3BocC9waHAtc3JjL2Jsb2IvbWFzdGVyL2V4dC9zdGFuZGFyZC92 YXIuYyNMODI4DQoNCg0KdW5pdmVyc2FsaXplKCkgYWxsb3dzIGFueSB2YWx1ZS4NCg0KDQpodHRw czovL2dpdGh1Yi5jb20vcGhwL3BocC1zcmMvYmxvYi9tYXN0ZXIvZXh0L3N0YW5kYXJkL3Zhcl91 bnNlcmlhbGl6ZXIucmUjTDY3Nw0KDQoNClRoaXMgYWxsb3dzIG1hbnVhbCBjcmFmdGluZyBvZiBz dHJpbmdzIHRoYXQgbWF5IGxlYWQgdG8gY3JlYXRpb24gb2YgdW5leHBlY3RlZCBkYXRhIHN0cnVj dHVyZXMuDQoNCkkgcHJvcG9zZSB0byBmaXggdGhpcyBqdXN0IGJ5IGZpeGluZyB0aGUgc3ltbWV0 cnkuDQoNCg0KaHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZHN0b2dvdi81MzM4MjU0MGJkZmVlN2I2 YzdkYWRmMTQyZGM0MzdlZA0KDQoNClRoaXMgd2lsbCBwcm9oaWJpdCwgc29tZSBtYW51YWxseSBj cmFmdGVkIHN0cmluZ3MuDQoNCk9mIGNvdXJzZSwgdGhpcyB3aWxsIGJyZWFrIGZldyAic2VjdXJp dHkiIHJlbGF0ZWQgdGVzdHMuIEVzcGVjaWFsbHk6DQoNCg0KPiBCdWcgIzcwMjg0IChVc2UgYWZ0 ZXIgZnJlZSB2dWxuZXJhYmlsaXR5IGluIHVuc2VyaWFsaXplKCkgd2l0aCBHTVApIFtleHQvZ21w L3Rlc3RzL2J1ZzcwMjg0LnBocHRdDQo+IEJ1ZyAjNzAyMTEgKHBocCA3IFpFTkRfSEFTSF9JRl9G VUxMX0RPX1JFU0laRSB1c2UgYWZ0ZXIgZnJlZSkgW2V4dC9zb2FwL3Rlc3RzL2J1ZzcwMjExLnBo cHRdDQo+IEJ1ZyAjNzAxNzIgLSBVc2UgQWZ0ZXIgRnJlZSBWdWxuZXJhYmlsaXR5IGluIHVuc2Vy aWFsaXplKCkgW2V4dC9zdGFuZGFyZC90ZXN0cy9zZXJpYWxpemUvYnVnNzAxNzIucGhwdF0NCj4g QnVnICM3MDk2MyAoVW5zZXJpYWxpemUgc2hvd3MgVU5LTk9XIGluIHJlc3VsdCkgW2V4dC9zdGFu ZGFyZC90ZXN0cy9zZXJpYWxpemUvYnVnNzA5NjMucGhwdF0NCj4gTWVtbGVha3MgaWYgdW5zZXJp YWxpemUgcmV0dXJuIGEgc2VsZi1yZWZlcmVuY2VkIGFycmF5L29iamVjdCBbZXh0L3N0YW5kYXJk L3Rlc3RzL3NlcmlhbGl6ZS91bnNlcmlhbGl6ZV9tZW1fbGVhay5waHB0XQ0KPiBCdWcgIzcyNDMz OiBVc2UgQWZ0ZXIgRnJlZSBWdWxuZXJhYmlsaXR5IGluIFBIUCdzIEdDIGFsZ29yaXRobSBhbmQg dW5zZXJpYWxpemUgW2V4dC9zdGFuZGFyZC90ZXN0cy9zdHJpbmdzL2J1ZzcyNDMzLnBocHRdDQoN CkFueSBvYmplY3Rpb25zPyAodGhpcyBpcyBmb3IgbWFzdGVyIG9ubHkgb2YgY291cnNlKQ0KDQpI aSwNCg0KSSBkb24ndCB0aGluayB0aGlzIHdpbGwgcmVhbGx5IGZpeCBhbnkgdnVsbmVyYWJpbGl0 aWVzLCBiZWNhdXNlIHRoZSBjb3JlIGlzc3VlIGFyZSBSIHJlZmVyZW5jZXMsIG5vdCByIHJlZmVy ZW5jZXMuIElmIHRoaXMgcHJldmVudHMgYSB2dWxuZXJhYmlsaXR5IHVzaW5nIHIsIHlvdSBjYW4g dXN1YWxseSByZXBsaWNhdGUgc29tZXRoaW5nIHNpbWlsYXIgdXNpbmcgUiBpbnN0ZWFkLg0KDQpI b3dldmVyLCBJIHN0aWxsIGFncmVlIHRoYXQgaXQgbWFrZXMgc2Vuc2UgdG8gcmVzdHJpY3QgdGhp cy4gRXNwZWNpYWxseSBiZWNhdXNlIHVuc2VyaWFsaXplKCkgY3VycmVudGx5IGFsbG93cyBjcmVh dGluZyBzdHJ1Y3R1cmVzIHRoYXQgYXJlIGp1c3QgaW1wb3NzaWJsZSBpbiBwbGFpbiBQSFAsIHN1 Y2ggYXMgY3ljbGljIGFycmF5cyB3aXRob3V0IHVzZSBvZiByZWZlcmVuY2VzIChHTE9CQUxTIG5v dHdpdGhzdGFuZGluZykuDQoNClRoZSBjaGVjayBsb29rcyB0b28gc3RyaWN0IHRvIG1lIHRob3Vn aC4gU2hvdWxkbid0IGl0IGZpcnN0IERFUkVGIHRoZSB2YWx1ZSBiZWZvcmUgcGVyZm9ybWluZyB0 aGUgT0JKRUNUIGNoZWNrPyAoRS5nLiBmb3Igc29tZXRoaW5nIGxpa2UgImE6Mzp7aTowO086ODoi c3RkQ2xhc3MiOjA6e31pOjE7UjoyO2k6MjtyOjI7fSIsIGluIHdoaWNoIGNhc2UgcjoyIHdpbGwg YmUgYSBSRUYgdG8gT0JKRUNUKS4NCg0KVGhhbmtzLCBmb3IgY2F0Y2hpbmcuIFlvdSBhcmUgcmln aHQuIEknbGwgZml4IHRoZSBwYXRjaCBhIGJpdCBsYXRlci4gSnVzdCBhZGQgREVSRUYuDQoNCkRt aXRyeS4NCg0KDQpSZWdhcmRzLA0KTmlraXRhDQoNCg== --_000_5121480da9c34214b280a690bdf5f2b9emailandroidcom_--