Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103515 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 60752 invoked from network); 27 Nov 2018 02:37:36 -0000 Received: from unknown (HELO mail-it1-f179.google.com) (209.85.166.179) by pb1.pair.com with SMTP; 27 Nov 2018 02:37:36 -0000 Received: by mail-it1-f179.google.com with SMTP id x124so339813itd.1 for ; Mon, 26 Nov 2018 15:01:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iMpW20J/Kgz1q7k2+eYo5vtCeQO31zTwCyBytwa1jHU=; b=Kpe60K9EZxfxnlGKbf428e49lsEhJnPboD2JdQxV9v1gXn8NFGELyp2sAKUkhhVJfQ sVjMB8mtmrCmV1feY1kgKHCzufdxQSCKJHfn7RRmdWmmQapJaSrqSmGLUKxmu3ICzow0 tZFhrtKiR001IPg0CvMZzFI+FsD+73O1gM9QlEHZnQS9+xVFPV5wccZGpmfM029RwHEr THI+90Dbyx4vi9cZummZmLbTM98pOAK3qPgFIZZGdjtfI5Ui9I6GeQPzCIu2swsLaG1O Hq9zTHHHuGpCTGviCObOc+TfnIwldWa/3vqyzMNHKka5HCXIQLSTbGILKbfg/bswKNfN TCBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iMpW20J/Kgz1q7k2+eYo5vtCeQO31zTwCyBytwa1jHU=; b=JeVUHV/MSbi/lTD35JkKb8wcpHmax+B1M7IIKJAZDSZTwz2nBYWcgvHixkDrD1dAqE S12r+kEEWbfk5GxRU/NYmg9cuPBIogEfpj6gK2VDhjyiJ/FK7tPjHwnKPPbhqboZDBw8 vFj8OyPHjZsqmVoriD4F2dd2grSVIPMbrQlZYlmEbLWGfoQSUkfMdwlcry+KQRMUkZjc AhfNQ/aDE4Q49eSb2cg3veo8CSArx1OuDlFt4Wz2hG2s0nrAfQhtroARESOwXg/B2Jmc 5vcVZE4jQh+hC2V7pIX6c9qBcUIXpaf9NCS64qnEs/QYLtZGR/6b5DxCOpawh31BNGHx e2pw== X-Gm-Message-State: AA+aEWbBOmTwr4clVI/rPbBFd5cAD/6rcPxskxi8tk0O7hHHcmd5OKtK 8nrt9akJhSXmzFe7YKTSMjDO3psvESxmG8W/RkA= X-Google-Smtp-Source: AFSGD/VxKa4p0K41ZWOiicc+2eN+1RV6dQbbZQ2T2o0P1oWWaDccp9b77D9mnS7MBMETznmAM899izlDINJ3XIIY+kw= X-Received: by 2002:a05:660c:81a:: with SMTP id j26mr16133565itk.70.1543273265062; Mon, 26 Nov 2018 15:01:05 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 27 Nov 2018 00:00:47 +0100 Message-ID: To: Stanislav Malyshev Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000c165f7057b994e6f" Subject: Re: [PHP-DEV] Built-in classes that cannot be serialized From: nikita.ppv@gmail.com (Nikita Popov) --000000000000c165f7057b994e6f Content-Type: text/plain; charset="UTF-8" On Mon, Nov 26, 2018 at 11:47 PM Stanislav Malyshev wrote: > Hi! > > > We should migrate such cases to serialize_deny though. I think it's > pretty > > weird to explicitly implement __wakeup (signalling that yes, you can be > > unserialized), and then use it to throw (sorry, I lied). > > Throwing in __wakeup does not signal that it can be serialized. What it > says that if you try to unserialize it (note that the code doing > unserialize is not the same that does serialize and has no control over > what the argument string says - it may demand to unserialize anything) > it won't work. That _implies_ you shouldn't also serialize it (because > what's the point) but the important part is not to produce broken > objects from unserialization loop. > > Also, for CURLFile for example there are additional things that happen > on __wakeup besides throwing, probably for security reasons. I am not > sure whether they are necessary anymore as we pretty much tell people > "don't unserialize external data" but they are there for now. Just > moving to _deny handler would probably not keep them. > Historically, __wakeup() has been the correct way to prevent unserialization and/or mitigate issues relating to dangerous unserialized state. The reason is that it was possible to bypass the unserialize_deny handler by using the O-style, rather than the C-style serialization format. At some point this whole was plugged and we don't allow O-unserializing classes that have serialize/unserialize handlers. Which is why nowadays, (un)serialize_deny is our strongest defense against unserialization vulnerabilities, because it prevents unserialization *before* the object is constructed. In the __wakeup case the object is created first and __wakeup is only called much later at the end of unserialization, which creates a lot more opportunities for the usual shenanigans. Basically, anything using a throwing __wakeup() nowadays is a leftover from times where unserialize_deny was not properly enforced. To the best of my knowledge, there is no good reason to use the throwing __wakeup pattern nowadays anymore. Regards, Nikita --000000000000c165f7057b994e6f--