Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103760
Return-Path: <marcospassos.com@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10779 invoked from network); 18 Jan 2019 04:24:28 -0000
Received: from unknown (HELO mail-oi1-f181.google.com) (209.85.167.181)
  by pb1.pair.com with SMTP; 18 Jan 2019 04:24:28 -0000
Received: by mail-oi1-f181.google.com with SMTP id y1so7719411oie.12
        for <internals@lists.php.net>; Thu, 17 Jan 2019 17:00:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=3YQ4RoL8bm8704AoteCUvFmo2xEzEIJPZEbH91l5TE4=;
        b=TOdnQSGnCZVaBgOJq+pO4WxmAIaox9K9bOH6DPumdFjRtWjtrMsnky/0u3ZohZCtbm
         o2lttFao0AKDIdh2WQk34Kb3nBzuJhqyj09msBhWB/pPa+kJEMf6zOv9krIFoMzs/8Dn
         aMEkFhL4I2gLJ/Y3Sj/DpA7KUMjRJ8Z6mM2f04fB+qavX29YL98erBOOzG2v/m2FhkiG
         8/ejd0KYbn2ruEeVCjjUFAzJAkcwXMlToAtkcfzLTtk1SQtOSfOgBU0tfxqEqFxa0Pyv
         dkMufSvSeRb9+2hC9CGAaMDhoDK3rrzHv8pJXU2WWd8tIZEFYLFxnDvsVYOksFMZ2qg8
         MPLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=3YQ4RoL8bm8704AoteCUvFmo2xEzEIJPZEbH91l5TE4=;
        b=mnYeroBZDvW8U1bteo4sAGuQywkIxArkJmBVIHeVzfZKUCgNN1P80kY11JSw2/oEJY
         d6ekwjHcnV6K+2wTVkLtkLKadpcHfv3GGuTNWK+XGRxrnp5VFM0KcopEX1w2bhb0LHiq
         zfcrMPo7mbNf+mzEJaAaGX5HL3Cc4Z/FZK4hZRRapSLkQhniDqBErYD76R48jcQCt60N
         rNqzzwwuVnmO1+77JijER5L46eUAtwFb0Gt81bqQINCMNzvM3Le8FDrR32XarYLE6yk5
         xp8miJrD/rVCzsjmqPvpyC8ePEzheQgK1SbvK7d6YQkDKS36vXdumwbZzzRye3uUWExa
         D2UQ==
X-Gm-Message-State: AJcUukfma76OYmnTcAloa5gjYTmIbrdGBa/gtk85lrz9KZzAadAs/lwy
	TQny420OEs8LTD249Rs6EFvPw3TIdpHaxkzcGQs=
X-Google-Smtp-Source: ALg8bN4+/CjEauEZfaf26V1AU/HPMLV9Glcpobx1Kx5auzo005sr9IKt7Ufs5SiyX9wMDwzt5YkecT9baS/0u5iH7p8=
X-Received: by 2002:aca:acc3:: with SMTP id v186mr4096799oie.274.1547773258680;
 Thu, 17 Jan 2019 17:00:58 -0800 (PST)
MIME-Version: 1.0
References: <CANA3Det3Cn2LAzcFPmVpP+ApgdtwDYrcnwuys8Gdo6CzRxLqBg@mail.gmail.com>
 <CADyq6sKt8XxXOoqFYTjphBQ7Fgg7SFmZdexaDFq2-AfxX-zURg@mail.gmail.com>
 <CANA3DevZK4F2_Vk3PD8aDdMzS1t=L6x4C7xL88Y1AY8p8A2P2w@mail.gmail.com> <CADyq6sL2LyguyXawskdCE9XyQmtTq7vRqN+sZ6eDrrh6Rvdb1g@mail.gmail.com>
In-Reply-To: <CADyq6sL2LyguyXawskdCE9XyQmtTq7vRqN+sZ6eDrrh6Rvdb1g@mail.gmail.com>
Date: Thu, 17 Jan 2019 23:00:48 -0200
Message-ID: <CANA3DeuYoxbnjm4BsgvmTQnDx2isqbbfHOFTe7R8-DqHmiFU=A@mail.gmail.com>
To: Marco Pivetta <ocramius@gmail.com>
Cc: internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000046ce43057fb10ba4"
Subject: Re: [PHP-DEV] Unserializes, inheritance and allows_classes
From: marcospassos.com@gmail.com (Marcos Passos)

--00000000000046ce43057fb10ba4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

How would you fix this example, then? Perhaps we should add more examples
in the docs.

Em qui, 17 de jan de 2019 =C3=A0s 22:53, Marco Pivetta <ocramius@gmail.com>
escreveu:

> On Fri, Jan 18, 2019 at 1:50 AM Marcos Passos <marcospassos.com@gmail.com=
>
> wrote:
>
>> Hi Marco,
>>
>> Also: nothing denies an attacker from defining a subtype to your class,
>>> then passing a malicious instance to your application.
>>
>>
>> Fact, but it also reveals a fragility in the solution in the sense that
>> one has to opt between flexible design or security.
>>
>> Em qui, 17 de jan de 2019 =C3=A0s 22:24, Marco Pivetta <ocramius@gmail.c=
om>
>> escreveu:
>>
>>>
>>> On Fri, Jan 18, 2019 at 12:49 AM Marcos Passos <
>>> marcospassos.com@gmail.com> wrote:
>>>
>>>> Hi internals,
>>>>
>>>> Today I stumbled upon a limitation when implementing the unserialize
>>>> method
>>>> of a serializable class which depends on an abstraction also
>>>> serializable.
>>>> Currently, there is no way to unserialize an object specifying a paren=
t
>>>> class in the allowed_classes option:
>>>>
>>>> class SerializableBase implements \Serializable {
>>>> > }
>>>> > class SerializableChild extends SerializableBase {
>>>> > }
>>>> > class Foo implements \Serializable {
>>>> >    private $dependency;
>>>> >     public function __construct(SerializableBase $dependency) {
>>>> >         $this->dependency =3D $dependency;
>>>> >     }
>>>> >     public function serialize() : string {
>>>> >          return \serialize($this->dependency);
>>>> >     }
>>>> >    public function unserialize($data) : void {
>>>> >         $this->dependency =3D \unserialize($data, ['allowed_classes'=
 =3D>
>>>> > SerializableBase::class]);
>>>> >    }
>>>> > }
>>>>
>>>>
>>>> Is this an intentional limitation?
>>>>
>>>>
>>> Seems expected to me: `allowed_classes` is a whitelist, not a complex
>>> filter/ruleset.
>>>
>>> Also: nothing denies an attacker from defining a subtype to your class,
>>> then passing a malicious instance to your application.
>>>
>>> Marco Pivetta
>>>
>>> http://twitter.com/Ocramius
>>>
>>> http://ocramius.github.com/
>>>
>>>
>>
> Security is not a choice. The design is not fragile, it is strict and
> correct.
>
> Marco Pivetta
>
> http://twitter.com/Ocramius
>
> http://ocramius.github.com/
>
>

--00000000000046ce43057fb10ba4--