Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105275
Return-Path: <xwisdom@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16798 invoked from network); 15 Apr 2019 08:57:43 -0000
Received: from unknown (HELO mail-vs1-f47.google.com) (209.85.217.47)
  by pb1.pair.com with SMTP; 15 Apr 2019 08:57:43 -0000
Received: by mail-vs1-f47.google.com with SMTP id o10so8762169vsp.12
        for <internals@lists.php.net>; Sun, 14 Apr 2019 22:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=1li5ebUFit8BuxQUDt8sp6+ikWofDYLVZ4IQ/mz8NaM=;
        b=biLtJCMSLjytj/9UUn9aXuUe+rmGLZ0HTF0iGGEvA/YDLwPi2sx4ueI2RLLJibR99E
         OVzlR4BQfIWQPqDd4jRXI3APBEp7CHcMipe/ZnaTBZN/odJUTvVmsxeJ2jXjvJJjAwm2
         +nCaVLv6/gTwR3pdZBdE5+IAqpJtewhQcXdV3X5woV3+Nu9w7m7eY6dKxZjiLoj+90/x
         LRmq/1Ut4YA+1UoFHxBRlNFFkPyGVF1aeCqGRekxGKRRbMPd2XaOruOOi8IdOxDTcEIC
         yUHooJXCYkxhBGLG0KyCa3t91cBtT8kitGxRxp3Cu+EPxgokTEeBFn+I1Fzrwg1HsJcg
         gFBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=1li5ebUFit8BuxQUDt8sp6+ikWofDYLVZ4IQ/mz8NaM=;
        b=nA/MR3PoQbRenP+3n/agxuTHg+b71L+D76+NezACCLMhSF8RZFSr6fhezOAYxjbw/z
         VTIeHmAQyWfvBDdrdAZ1cOaer25QZA0dok5TIXybj+77TuDkx9YQ8a56GUqwqVKzPRiN
         xz3F92e9VHw5yYTys3osfESJd2rJYiRAA2etowhM6tafbhPZ+y/oH0q09Hcu2/vYQfTg
         m1JGR28r+vcGK8VmAsjEc8uUeU0GFwt5h7dFcvS8svFL7KT2Ki9Ee+SMTyBcvV1XLHWl
         xBlbrVZyxiu75nKRvLWKtxChfgCDWt1RFledzNUSDnmWiVKM5IMO9+ZszZWJ9RjZDDr6
         bffA==
X-Gm-Message-State: APjAAAWWB6HYUeiDRQG8GPhlmytSuUEVV9n6fotHkPuQfpYN7Azkl1AV
	VHwE0TvUCT3Sx5XHIuOxmGj40dJeaRF3oBViB3w=
X-Google-Smtp-Source: APXvYqyTJ4TYl4Laz7NphZf/FdADmBe3sWfHIl5KdiP1GuYNovKdD+X9+i8fu4YiSb0u/9c3H0sMxC31VURZmZga/3A=
X-Received: by 2002:a67:7b52:: with SMTP id w79mr38953770vsc.200.1555307762319;
 Sun, 14 Apr 2019 22:56:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAJRMtAG41c7tSDRO0H-pz+R=qxDva5h+7Q7mdkAUObN6fC+TPg@mail.gmail.com>
 <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com>
In-Reply-To: <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com>
Date: Mon, 15 Apr 2019 00:55:49 -0500
Message-ID: <CAJRMtAEZugqtpSRE9nKUd9=QtS8wt9RzxBsnj00aHW9DxXD2gQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, bishop@php.net
Content-Type: multipart/alternative; boundary="000000000000b0881305868b4efa"
Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for
 security researchers
From: xwisdom@gmail.com (Raymond Irving)

--000000000000b0881305868b4efa
Content-Type: text/plain; charset="UTF-8"

Hi,

Thanks for responding to this issue.

Will calling getMetaData still parse and
execute malicious code?


;__
 Raymond



On Sun, 14 Apr 2019, 4:47 PM Stanislav Malyshev, <smalyshev@gmail.com>
wrote:

> Hi!
>
> > I came across this article which highlights a few issues with PHP
> > deserialization techniques:
> >
> >
> https://portswigger.net/daily-swig/phar-out-php-deserialization-techniques-offer-rich-pickings-for-security-researchers
>
> PHP serialization is not meant to be used with external or
> user-modifyable data. Looks like the crux of the issue is that phar uses
> unserialize() to read metadata, which is an insecure scenario since it
> is common to deal with external phar files and it's not obvious there
> can be serialized data. Particular Drupal exploit seems to be caused by
> insecure coding (one should not be able to give phar streams to system
> paths) but the general issue of reading phars being insecure stays.
>
> It is a bit problematic since there are no limitations in what can be
> stored in Phar metadata, so we can't really prohibit anything there
> without breaking BC. I would start with banning objects there (at least
> by default) but that again would be BC break if somebody did use objects
> there. More workable idea would be to not parse metadata unless
> getMetadata() is explicitly called. The chance of code that did not
> intend to use metadata to use this call is nil, thus eliminating the
> deserialization vector in most cases. OTOH, BC is kept since the
> metadata is still available for the code that needs it. I'll try to
> implement this soon.
> --
> Stas Malyshev
> smalyshev@gmail.com
>

--000000000000b0881305868b4efa--