Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103758 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 6139 invoked from network); 18 Jan 2019 04:13:49 -0000 Received: from unknown (HELO mail-oi1-f169.google.com) (209.85.167.169) by pb1.pair.com with SMTP; 18 Jan 2019 04:13:49 -0000 Received: by mail-oi1-f169.google.com with SMTP id y23so7739851oia.4 for ; Thu, 17 Jan 2019 16:50:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4yBxxko65TaF7n2fRpND8pcAkIsWms5oiBjOzjXiBKo=; b=FVh5Vm9vJ1hbBKObWGDgLMtPiZRBlIY3J+iHxaP29GvlTDyyWo+JNoY/TYbedjiwxG WKK1N6DCAOq6ZgsmjSFEv4Wbg2AA+8m1q2FuIYktDGRVVpuqDSnSRzn+RvBDcMskGnWf cpUyep5g2igQTbafB4VuJNCQabQo4WarW2Jil968yasw2Zold5PqW9ntpYOhIQG85A2Y kbOqBqNuerIONORovF+b9XvOqPhcmiK7kT1fjJmzaR5O0swLq2WWCg4Z6Y1TinNEZegi GdwiSo4UgmhQvkH0YgSaGSDYNzhQSSRLUSah6P5EzHLZ+A4FtqlHDB/v5+Wh4BFVTE0H IJ8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4yBxxko65TaF7n2fRpND8pcAkIsWms5oiBjOzjXiBKo=; b=GXyik3iAoNWNPq4WUZwYKAO/4sUu4kzDv4BP65d2dbt/IAzi+iws4NRM2RQxFZ0DBX FvrPPT9w5k9f2P6UcttTH8b9/N6y/IPIsCx+AtZoI8Xaduo3hq3PUlSp18oYx8v4ApbF YBhZ41oViqF8kNJ4E3fqVGnwe91UR6MceFCjCcVksPGBtebfJwaLyfU47xbG83moD3Xs aNFDelcinQE8O2UioGf1eY28x11GfeQhDsk77nAclsheslN89tjmEinqnlGGhjV1/1uH vVXPaWGn7hna/ho/ImIsueOO65h/8iw/wvsx6vekoWxeHpjtMBtF0AVxgtZDLEICutgj IPNA== X-Gm-Message-State: AJcUukcTJY6343MIsS1Pc/ywnwCx2/EnAQUrFzP2520h/4UpqvfTi4ay Y/22or80Sj4ejnAX8kvPZtCu4rxXbE3sMJSOExQ= X-Google-Smtp-Source: ALg8bN7eqnuwjNHPX8TcKSJQ43QkLCREe4Q7E0kFsA9VO/v4wQN/Men3NawKIxK+Ly6c174VVsijgib+oTQUQP79Jkc= X-Received: by 2002:aca:ab16:: with SMTP id u22mr1633559oie.249.1547772619306; Thu, 17 Jan 2019 16:50:19 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 17 Jan 2019 22:50:08 -0200 Message-ID: To: Marco Pivetta Cc: internals Content-Type: multipart/alternative; boundary="0000000000002abe92057fb0e541" Subject: Re: [PHP-DEV] Unserializes, inheritance and allows_classes From: marcospassos.com@gmail.com (Marcos Passos) --0000000000002abe92057fb0e541 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Marco, Also: nothing denies an attacker from defining a subtype to your class, > then passing a malicious instance to your application. Fact, but it also reveals a fragility in the solution in the sense that one has to opt between flexible design or security. Em qui, 17 de jan de 2019 =C3=A0s 22:24, Marco Pivetta escreveu: > > On Fri, Jan 18, 2019 at 12:49 AM Marcos Passos > wrote: > >> Hi internals, >> >> Today I stumbled upon a limitation when implementing the unserialize >> method >> of a serializable class which depends on an abstraction also serializabl= e. >> Currently, there is no way to unserialize an object specifying a parent >> class in the allowed_classes option: >> >> class SerializableBase implements \Serializable { >> > } >> > class SerializableChild extends SerializableBase { >> > } >> > class Foo implements \Serializable { >> > private $dependency; >> > public function __construct(SerializableBase $dependency) { >> > $this->dependency =3D $dependency; >> > } >> > public function serialize() : string { >> > return \serialize($this->dependency); >> > } >> > public function unserialize($data) : void { >> > $this->dependency =3D \unserialize($data, ['allowed_classes' = =3D> >> > SerializableBase::class]); >> > } >> > } >> >> >> Is this an intentional limitation? >> >> > Seems expected to me: `allowed_classes` is a whitelist, not a complex > filter/ruleset. > > Also: nothing denies an attacker from defining a subtype to your class, > then passing a malicious instance to your application. > > Marco Pivetta > > http://twitter.com/Ocramius > > http://ocramius.github.com/ > > --0000000000002abe92057fb0e541--