Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103759
Return-Path: <ocramius@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8119 invoked from network); 18 Jan 2019 04:16:45 -0000
Received: from unknown (HELO mail-io1-f46.google.com) (209.85.166.46)
  by pb1.pair.com with SMTP; 18 Jan 2019 04:16:45 -0000
Received: by mail-io1-f46.google.com with SMTP id k7so9417728iob.6
        for <internals@lists.php.net>; Thu, 17 Jan 2019 16:53:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=vQGBZF4WUgyC4zP+UC4pynmK8fghbb3xLg7gBNKIULg=;
        b=Ji4o7vm9CzMKnRA5I0l5dSdihkZMqfJ5ZHpSBua1BVNdX9TNHinmh+UfUuIRwBqbIa
         iHaDSIq0WB3wqLMotGmFKKzwpU9o7Is+nNxcybTVoss/ZNFR+YdoxNbE1I8DE1uQ45Ls
         FaaKUVDtYpoP3mUtuMTaR0gxZGXExdjZ+hbW9/Vioj1o+5jaTyRAFj67cwW8FIi6hkmV
         +jLAZGIMZNv+Jcp2a5+q6itXyLCI0SbU9FiQpxeFioLJuarnKPLof/SUX/tYNnMdifha
         4dCSOWqeEEIWmk0l6ulGpA01/AeFNA5UYLp479nz5TPt12myAv9jS290IN5E6NaAMQAR
         PUhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=vQGBZF4WUgyC4zP+UC4pynmK8fghbb3xLg7gBNKIULg=;
        b=bw/53kZDT1Hb8T2GF5CHPSHv5XoBIEYNIZFMP+criEk1C/R7sBk5Ctornr8xnAsk6I
         /uv0Di6nrui50rTC8FqPXuelomz15ZmDPv65y4eeyufwKk91+ZW+brsGjHI9X3zTFdxv
         lOqTvN+WlBpwC2N6P7gtYUsC+zunjyU7tj5Wl9SfTP9CCOGMN6fgbKOeTkDz9hWR7UDv
         BT672GRpf+UaKxe2h0HQAz1ejQCCeFhLw8EOv4O6SxqBr15dGI3AhgqMyY5NnwV+XjQp
         XTZkz8wFIneORlpXU/aGkabvnYlC898KPYcFtP+tSl+hFT/9Rg/25oN0tL5SkPkf4rdd
         aKbg==
X-Gm-Message-State: AJcUukfpWYiV27T1x8mq/lII7f5yS6l6l5BSw/uxgBPwWc7Wi4ubvAdW
	JXlto/dCrvbvxeJLGSoDKSrSGotVbPezSBK8pRmaLopzMwA=
X-Google-Smtp-Source: ALg8bN6t6pMIZsMW0Xf5MnJjukjJwLuP2MkhT4eNUjNK1R26UZNGGNCqW1O5VNaoHYG1YhbQxLaj5YjYka77Lt58f7I=
X-Received: by 2002:a5d:8ac6:: with SMTP id e6mr8249778iot.235.1547772795493;
 Thu, 17 Jan 2019 16:53:15 -0800 (PST)
MIME-Version: 1.0
References: <CANA3Det3Cn2LAzcFPmVpP+ApgdtwDYrcnwuys8Gdo6CzRxLqBg@mail.gmail.com>
 <CADyq6sKt8XxXOoqFYTjphBQ7Fgg7SFmZdexaDFq2-AfxX-zURg@mail.gmail.com> <CANA3DevZK4F2_Vk3PD8aDdMzS1t=L6x4C7xL88Y1AY8p8A2P2w@mail.gmail.com>
In-Reply-To: <CANA3DevZK4F2_Vk3PD8aDdMzS1t=L6x4C7xL88Y1AY8p8A2P2w@mail.gmail.com>
Date: Fri, 18 Jan 2019 01:53:03 +0100
Message-ID: <CADyq6sL2LyguyXawskdCE9XyQmtTq7vRqN+sZ6eDrrh6Rvdb1g@mail.gmail.com>
To: Marcos Passos <marcospassos.com@gmail.com>
Cc: internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000ab25a5057fb0ef10"
Subject: Re: [PHP-DEV] Unserializes, inheritance and allows_classes
From: ocramius@gmail.com (Marco Pivetta)

--000000000000ab25a5057fb0ef10
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 18, 2019 at 1:50 AM Marcos Passos <marcospassos.com@gmail.com>
wrote:

> Hi Marco,
>
> Also: nothing denies an attacker from defining a subtype to your class,
>> then passing a malicious instance to your application.
>
>
> Fact, but it also reveals a fragility in the solution in the sense that
> one has to opt between flexible design or security.
>
> Em qui, 17 de jan de 2019 =C3=A0s 22:24, Marco Pivetta <ocramius@gmail.co=
m>
> escreveu:
>
>>
>> On Fri, Jan 18, 2019 at 12:49 AM Marcos Passos <
>> marcospassos.com@gmail.com> wrote:
>>
>>> Hi internals,
>>>
>>> Today I stumbled upon a limitation when implementing the unserialize
>>> method
>>> of a serializable class which depends on an abstraction also
>>> serializable.
>>> Currently, there is no way to unserialize an object specifying a parent
>>> class in the allowed_classes option:
>>>
>>> class SerializableBase implements \Serializable {
>>> > }
>>> > class SerializableChild extends SerializableBase {
>>> > }
>>> > class Foo implements \Serializable {
>>> >    private $dependency;
>>> >     public function __construct(SerializableBase $dependency) {
>>> >         $this->dependency =3D $dependency;
>>> >     }
>>> >     public function serialize() : string {
>>> >          return \serialize($this->dependency);
>>> >     }
>>> >    public function unserialize($data) : void {
>>> >         $this->dependency =3D \unserialize($data, ['allowed_classes' =
=3D>
>>> > SerializableBase::class]);
>>> >    }
>>> > }
>>>
>>>
>>> Is this an intentional limitation?
>>>
>>>
>> Seems expected to me: `allowed_classes` is a whitelist, not a complex
>> filter/ruleset.
>>
>> Also: nothing denies an attacker from defining a subtype to your class,
>> then passing a malicious instance to your application.
>>
>> Marco Pivetta
>>
>> http://twitter.com/Ocramius
>>
>> http://ocramius.github.com/
>>
>>
>
Security is not a choice. The design is not fragile, it is strict and
correct.

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

--000000000000ab25a5057fb0ef10--