Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105274
Return-Path: <smalyshev@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26112 invoked from network); 15 Apr 2019 00:49:07 -0000
Received: from unknown (HELO mail-pg1-f169.google.com) (209.85.215.169)
  by pb1.pair.com with SMTP; 15 Apr 2019 00:49:07 -0000
Received: by mail-pg1-f169.google.com with SMTP id q1so7578877pgv.13
        for <internals@lists.php.net>; Sun, 14 Apr 2019 14:47:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:openpgp:autocrypt:cc:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=n+zi0wjsVZNZdZo0Sf99wwFK158bjDKkEB1TEMdogXE=;
        b=cWVlvC7yfNghIohiCtylucRGwCChR3hhOfLt9MW2Pje+51NyIw/vAZ6q+zubwsdUW9
         rd8Yl9BlcarAvzDRTXjX1f8Agk1JKGupkJIusjSB8fry2kJPKoVFFUxyqd5nfNxlRh7Z
         icZRHPh+lPRUJm5YHkZxyS3OnDM36G/ZXSXZ6fLv9QAorR6NMGZX1NLTibHIv57jAkO9
         dekZhJcvbpbSg7Uzjn33fzgR6RCWIvsLrCdWOCn9Z2zCspcYnRVo0PHWm3lsaoLNc0OL
         1xv8XNnVwM44Gcybyiynd/D6Acet3VSnCMn4OQzd2vdiiykZlof81Js3l9XSIXX0vBq9
         yZMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt:cc
         :message-id:date:user-agent:mime-version:in-reply-to
         :content-language:content-transfer-encoding;
        bh=n+zi0wjsVZNZdZo0Sf99wwFK158bjDKkEB1TEMdogXE=;
        b=YpkhDwMU2pWD3StEqoiq86qcZ347e/hD2FWeOyDqE7GM1UHnYKlQM3rTSVO60Ag19q
         H4x6q4x1Rew5BY38qzJ4akr9tWjUhTUaTCdYsrsU4iAmdN1ZHbnEhqHq0uB9y4KjXU3A
         N4F4fmwYgnnz6uBeUL033zB+5L+1OKbk8k/+0TBZVtE7zc907ruOlNPg/zPgG5D4OS5t
         Xwy2qMBOi0V8YZ4l8pHVoLPCUpbBQeV6+yIc+7fVb5cMUYdthyaa4fCNjW6F9mw3NWv3
         aWq6ToFEES7qVHyJX3g/QGwVSaSz2z2DhZeh6n62kvhpBgs/vYOqja4GTTSnYkZb8Hnt
         pu8w==
X-Gm-Message-State: APjAAAWTbjyEsNmRFr5wBipIyRCHcxO0hZT03+ryrHAI0jVA+1fCTCCX
	nRmLnjxo7zWmAuA0ofDR3w==
X-Google-Smtp-Source: APXvYqzQQWoMYFRuuA+hT4uFnIoi7ZxXOgiSAAKcOWCE35CDulQv7U3sy5Pq1I/tNVCgdHlwS5YfTw==
X-Received: by 2002:a63:6a44:: with SMTP id f65mr32844047pgc.354.1555278440213;
        Sun, 14 Apr 2019 14:47:20 -0700 (PDT)
Received: from Stas-Pro-2016.local ([2601:646:8d01:8ee0:8498:ab2e:23e6:15f3])
        by smtp.gmail.com with ESMTPSA id f71sm77760579pfc.109.2019.04.14.14.47.19
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 14 Apr 2019 14:47:19 -0700 (PDT)
To: Raymond Irving <xwisdom@gmail.com>,
 PHP Internals <internals@lists.php.net>
References: <CAJRMtAG41c7tSDRO0H-pz+R=qxDva5h+7Q7mdkAUObN6fC+TPg@mail.gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata=
 mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi
 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L
 cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk
 uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18
 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX
 lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN
 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC
 khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN
 oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R
 sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k
 OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76
 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER
 EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R
 ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi
 sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ
 5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls
 LmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW
 vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv
 vsZEj3E7i3h+iD5648YMwfTFCij+uQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh
 +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX
 ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey
 SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P
 ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH
 ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf
 aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl
 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q
 aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY
 ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK
 AGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP
 zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw
Cc: bishop@php.net
Message-ID: <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com>
Date: Sun, 14 Apr 2019 14:47:18 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
 Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAJRMtAG41c7tSDRO0H-pz+R=qxDva5h+7Q7mdkAUObN6fC+TPg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for
 security researchers
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I came across this article which highlights a few issues with PHP
> deserialization techniques:
> 
> https://portswigger.net/daily-swig/phar-out-php-deserialization-techniques-offer-rich-pickings-for-security-researchers

PHP serialization is not meant to be used with external or
user-modifyable data. Looks like the crux of the issue is that phar uses
unserialize() to read metadata, which is an insecure scenario since it
is common to deal with external phar files and it's not obvious there
can be serialized data. Particular Drupal exploit seems to be caused by
insecure coding (one should not be able to give phar streams to system
paths) but the general issue of reading phars being insecure stays.

It is a bit problematic since there are no limitations in what can be
stored in Phar metadata, so we can't really prohibit anything there
without breaking BC. I would start with banning objects there (at least
by default) but that again would be BC break if somebody did use objects
there. More workable idea would be to not parse metadata unless
getMetadata() is explicitly called. The chance of code that did not
intend to use metadata to use this call is nil, thus eliminating the
deserialization vector in most cases. OTOH, BC is kept since the
metadata is still available for the code that needs it. I'll try to
implement this soon.
-- 
Stas Malyshev
smalyshev@gmail.com