Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105291 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 37511 invoked from network); 16 Apr 2019 16:57:00 -0000 Received: from unknown (HELO mail-vs1-f67.google.com) (209.85.217.67) by pb1.pair.com with SMTP; 16 Apr 2019 16:57:00 -0000 Received: by mail-vs1-f67.google.com with SMTP id f15so11582097vsk.9 for ; Tue, 16 Apr 2019 06:55:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=FlzPtU0EV15VaGAvcD9VI+n7rARqudmHcsyaQCO0Tl4=; b=tZEiwA42A/JX5+gPha+DFOmdJfOggTYnuo3xHKftdh7vTjGAduyJFMPqB9YRXHDTTL VICkH0avlBvlfoRHbwE/UCWps8vNsocVSyJUl+I6E3yv1ePxvXW3SH2f18o+R3t8tsmU Gz+tvOKPJsoEKmNPLY7pVjNVxDT7aYodo8u3Jtv1abs8vuU+6cTLzgIETbq1DIqblcKc S45qAACnNlfyM5W8uvapP9wFVwdGOQc5dcILSDEN8/ATvGMrpARmXptq62b7dJ/i/gWM 5DkodIwe8KCLQjCQwEvWDvuOG+3fWWECnFuTMBCpF/nZPWEhDSkitai6MdwTQNdbFfxD VoQQ== X-Gm-Message-State: APjAAAVkFUejne/p+3GMups6pvLr4orOwY1I1GbcD/1YJMVoJ3R2yJBb 1rW0ddKL0+V6RdPUtVXPgMEGAqCQntel4xW+0So= X-Google-Smtp-Source: APXvYqwdoQ8+OVyo5yNf8qFCBuyuY5h8o0AhKDS2GnTpMX4AlKtjTBJEYUZb5lZwUoRBJNG58Grt1ndG0hrg/xqsdIE= X-Received: by 2002:a67:cb14:: with SMTP id b20mr44053332vsl.140.1555422938601; Tue, 16 Apr 2019 06:55:38 -0700 (PDT) MIME-Version: 1.0 References: <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com> <92b1b774-7c4b-555d-671e-d58c1054bd14@gmail.com> In-Reply-To: Reply-To: bishop@php.net Date: Tue, 16 Apr 2019 09:55:14 -0400 Message-ID: To: Yasuo Ohgaki , Stanislav Malyshev Cc: Raymond Irving , PHP Internals Content-Type: multipart/alternative; boundary="000000000000bb1f180586a61f4d" Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for security researchers From: bishop@php.net (Bishop Bettini) --000000000000bb1f180586a61f4d Content-Type: text/plain; charset="UTF-8" On Tue, Apr 16, 2019 at 6:38 AM Yasuo Ohgaki wrote: > On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev > wrote: > > > Hi! > > > > > Thanks for responding to this issue. > > > > > > Will calling getMetaData still parse and > > > execute malicious code? > > > > If it's contained in phar and serialized data and the surrounding code > > (I understand that most techniques mentioned in the article rely on > > certain vulnerable code being present) then yes. > > > > This issue was discussed in this list before. > As long as PHP calls unserialize for phar metadata, object injection is > possible > which may allow malicious code execution. > > https://github.com/php/php-src/blob/master/ext/phar/phar.c#L607 > > I'm not sure if Phar metadata requires object or not. > If not, Phar may use JSON. Or we may add safer unserialize that ignores > object > and reference for maximum compatibility. > > Something has to be done, since we wouldn't fix memory issue(s) in > unserialization. > Phar itself does not require object metadata, but users may have objects in their phars' metadata. Using the argument from BC, we can't remove object support. That said, I'd suggest we go about this in two phases: 1. Immediate mitigation. Invoke phar_parse_metadata only when explicitly called for, via getMetadata. I believe hasMetadata and delMetadata do not need to unserialize to answer their functions. This is, as I understand it, Stas' suggestion. 2. Improve caller control on unserialization. Change the signature to public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and invoke the behavior similar to how unserialize itself works. Since all of this problem stems from the use of untrusted content on the phar:// stream, we should put into the caller's hands as much control as possible. If the above is reasonable, I'll create tickets for the work and put it up at the top of my queue (right behind finishing the phar fuzzing PR). bishop --000000000000bb1f180586a61f4d--