Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103757 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 99077 invoked from network); 18 Jan 2019 03:47:49 -0000 Received: from unknown (HELO mail-it1-f182.google.com) (209.85.166.182) by pb1.pair.com with SMTP; 18 Jan 2019 03:47:49 -0000 Received: by mail-it1-f182.google.com with SMTP id g76so4394886itg.2 for ; Thu, 17 Jan 2019 16:24:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lMk+VSdJA/VuZ+T+4aLmKfjEe5eKguHoHTWllndAX+Q=; b=QjLPKzUWBxNfIJ0DCP4darLw3qnSort1vMayZct10lNvMt1eKX1cv17pUkueFRCOgW lPzTrILMeF6TRYUuHv0vYNUDLnKRf3u8vGjHc++7VKn6EhsPnJeS21B70XG/umGJLsHF QCLJx4oZZRvmm02BCih3bV+DBGh6vkSWPW3JvFtL5EetPplO1oiD0IlmZ8VFT+l5Gk3j k0wE0EmUOw6pVhJotGl1Ip0fOJco448YFnkZV/zkyJpNupRxFzW43stYMN/24spexgCh GEFWD0TWQoLqkSgNWx075dd0ZtmmnG5IwxO4n4xtSVPioACi7YkLpiNnx9we9SGfuHi9 8jqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lMk+VSdJA/VuZ+T+4aLmKfjEe5eKguHoHTWllndAX+Q=; b=cQws91EmTye2fHDhdFSfyeR6pd2sMhsblwo/1FOqveWV5/6OwxifufvJfsSnSZR6xV 2cpBRyKHYKt0XIYZBdTGGOYgrVqd11UEYRV9xRgPJYZQHEwGWx0SpaNsuO+/pQ/AGrca UF9Qs83079OBZ2xgQnHSwvGSCui56tuNZrGgPO/GdmCZKe4ot3EEBrsEBB3zSgiSSzH5 2fk+/Db9mn10DY+hRbr7Bc9vpBv0vjLjraA4C+Ev1VDLpQhXFUA8ddAJgPup0suD4dYy KwN7MqpeZihw6/io2yKj+sIhIuU2iB891p2X+U7TCnwqgQ2kExPeCqxIyror1xeeCNjr 3GAw== X-Gm-Message-State: AJcUukdPV9mGaNopuctOR/+yINDxcaIn4SdaLgttJ64gTq3rELIFlG2z TwIjjtwDyP6S1r/OtPUWUjOvWWoBm7dxmVHBjNE= X-Google-Smtp-Source: ALg8bN4llSyPV6vJafouENkdx6EE+zmPSBzj6Embnolh3gQfNuEEpdYlJ0y//g/e39Im6zMa2K2e3TQfVZ1vMQqlPDg= X-Received: by 2002:a02:6915:: with SMTP id e21mr9761424jac.142.1547771059014; Thu, 17 Jan 2019 16:24:19 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 18 Jan 2019 01:24:06 +0100 Message-ID: To: Marcos Passos Cc: internals Content-Type: multipart/alternative; boundary="0000000000002a8fd6057fb088f9" Subject: Re: [PHP-DEV] Unserializes, inheritance and allows_classes From: ocramius@gmail.com (Marco Pivetta) --0000000000002a8fd6057fb088f9 Content-Type: text/plain; charset="UTF-8" On Fri, Jan 18, 2019 at 12:49 AM Marcos Passos wrote: > Hi internals, > > Today I stumbled upon a limitation when implementing the unserialize method > of a serializable class which depends on an abstraction also serializable. > Currently, there is no way to unserialize an object specifying a parent > class in the allowed_classes option: > > class SerializableBase implements \Serializable { > > } > > class SerializableChild extends SerializableBase { > > } > > class Foo implements \Serializable { > > private $dependency; > > public function __construct(SerializableBase $dependency) { > > $this->dependency = $dependency; > > } > > public function serialize() : string { > > return \serialize($this->dependency); > > } > > public function unserialize($data) : void { > > $this->dependency = \unserialize($data, ['allowed_classes' => > > SerializableBase::class]); > > } > > } > > > Is this an intentional limitation? > > Seems expected to me: `allowed_classes` is a whitelist, not a complex filter/ruleset. Also: nothing denies an attacker from defining a subtype to your class, then passing a malicious instance to your application. Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ --0000000000002a8fd6057fb088f9--