Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103884
Return-Path: <nicolas.grekas@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30372 invoked from network); 30 Jan 2019 12:40:49 -0000
Received: from unknown (HELO mail-oi1-f169.google.com) (209.85.167.169)
  by pb1.pair.com with SMTP; 30 Jan 2019 12:40:49 -0000
Received: by mail-oi1-f169.google.com with SMTP id c206so18698902oib.0
        for <internals@lists.php.net>; Wed, 30 Jan 2019 01:20:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=VW1wuygzUT8ya+t9KH/1kj5Gm8F0v3pfZ7u5Sn5yfjw=;
        b=pqn0kX1cAZ1yWsZd1k4yf3ZrkThwicGJt+bxZvSGHu/pTChyK+e/RsMKy3dn4zJqfB
         adbjzMeOHHCIIkFR6TIMUtOu9RPDFMLv/EcrSJFXDmRhE7fdsL67kUx+7aOrpfJRhYEz
         cMFtq2yNQS89/Ka+/CNDDl/3UD+Yl3AvGMrC2TK6Jz1HW3sVe1s1N4IqlH2ibqDH13Qf
         gIypxGP6zN9RcJ+Bc7mg7SrnO/c7TUkay8Th4ik887j5BqEJhgXbmFdadmHoOKeqFh4D
         peAaC6ywDa0mpDO/KcUxgHi0BW26dBzthm3/uerDEkMM+ysD0EIt++4SAjfFYidwCh2x
         hyNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=VW1wuygzUT8ya+t9KH/1kj5Gm8F0v3pfZ7u5Sn5yfjw=;
        b=YNf7u73JCatwtRiDcmJBt23H34j1zonuO3tUDZbJc4/TNc166mC80NIjlXk1jRa0/L
         6JBJxD5mj4Lho2vVqWIIxSa06uWAHsDTwj2rpcFcao8dAOFwYi8LxANc6dQVz2+q8pNV
         F2bPZ2f/vHbRykqeXBMW8disl6azFgn+DALdqSqOWYICrz1eN2PX0ydoe+Sief0qLMxE
         rTs6y7WlxYX5FWicYSmuYOH0D+eaA631I9q8GOQ/nrGjiJXvuQxhcVSyhim1B41O6RIT
         nQUjLQoi1QKAQPUjFPgZhEk0ca1mNBMfGc6coyYwkC3PdfArd8SEVKeJKcnh+YZxsscM
         vBrQ==
X-Gm-Message-State: AJcUukcMzLPpQSLllCtsVTDV9mz3flz50PE+dXQD3lL7W09cwTlGrhC9
	CfQRyC3PLrPj25FPDyVS6ZmZj4U4vSofQUtkp90=
X-Google-Smtp-Source: AHgI3IbHi0BrIjnvlxWM6kzYOw2BnktpQH/9Pvh7AgyGfDFu+PCnLdgdwUUrsJpDHWKiUzL8sjF6V7s3q9+U+Vb86m8=
X-Received: by 2002:aca:3a83:: with SMTP id h125mr11338870oia.308.1548840024387;
 Wed, 30 Jan 2019 01:20:24 -0800 (PST)
MIME-Version: 1.0
References: <CAF+90c-GfwWSJ+LUUYrb6gpZRrwP=XX=hWFD9DL-3xQhBOgp+A@mail.gmail.com>
In-Reply-To: <CAF+90c-GfwWSJ+LUUYrb6gpZRrwP=XX=hWFD9DL-3xQhBOgp+A@mail.gmail.com>
Date: Wed, 30 Jan 2019 10:20:11 +0100
Message-ID: <CAOWwgpm3Ne74swRBhvEXO=rqps_GrAYMKbQzKxzjNHSttkekFA@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000077b3f10580a96b66"
Subject: Re: [RFC] New custom object serialization mechanism
From: nicolas.grekas+php@gmail.com (Nicolas Grekas)

--00000000000077b3f10580a96b66
Content-Type: text/plain; charset="UTF-8"

Hi Nikita,

https://wiki.php.net/rfc/custom_object_serialization
>

In the RFC, you mention that "Executing arbitrary code in the middle of
unserialization is dangerous and has led to numerous unserialize()
vulnerabilities in the past. For this reason __wakeup() calls are now
delayed until the end of unserialization."

How about destructors?
Some vulnerabilities come from destructors doing things with unserialized
state.
Would it be possible/a good idea to *not* call any destructors unless the
"wakeup" stage has been successful? Any exceptions thrown during
__wakeup/__unserialize would mean the unserialized data structure should be
destroyed without calling any destructors?
WDYT?

Nicolas

--00000000000077b3f10580a96b66--