Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105300 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 94036 invoked from network); 17 Apr 2019 04:16:21 -0000 Received: from unknown (HELO es-i.jp) (180.42.98.130) by pb1.pair.com with SMTP; 17 Apr 2019 04:16:21 -0000 Received: (qmail 120689 invoked by uid 89); 17 Apr 2019 01:15:06 -0000 Received: from unknown (HELO mail-ot1-f46.google.com) (yohgaki@ohgaki.net@209.85.210.46) by 0 with ESMTPA; 17 Apr 2019 01:15:06 -0000 Received: by mail-ot1-f46.google.com with SMTP id d24so19264987otl.11 for ; Tue, 16 Apr 2019 18:15:05 -0700 (PDT) X-Gm-Message-State: APjAAAVwSMS3/ZRdGlMEBsPhosNglQjzePLfQ6QaFGta9lCGVstA07TT rHyWNHvai44Rr+dPP1HvEpZHnDhXYUQh8U7zdQ== X-Google-Smtp-Source: APXvYqyMGBjq9XTss21uMkILpAANvBm/rHg4GirThzsEueXO1TGGacb2GNLozG0gw+Tx+Ct73DzVKbIbTEa0y3v/DRM= X-Received: by 2002:a9d:75cc:: with SMTP id c12mr53601465otl.77.1555463699938; Tue, 16 Apr 2019 18:14:59 -0700 (PDT) MIME-Version: 1.0 References: <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com> <92b1b774-7c4b-555d-671e-d58c1054bd14@gmail.com> In-Reply-To: Date: Wed, 17 Apr 2019 10:14:24 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Bishop Bettini Cc: Stanislav Malyshev , Raymond Irving , PHP Internals Content-Type: multipart/alternative; boundary="0000000000004bc6200586af9d1f" Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for security researchers From: yohgaki@ohgaki.net (Yasuo Ohgaki) --0000000000004bc6200586af9d1f Content-Type: text/plain; charset="UTF-8" On Tue, Apr 16, 2019 at 10:55 PM Bishop Bettini wrote: > On Tue, Apr 16, 2019 at 6:38 AM Yasuo Ohgaki wrote: > >> On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev >> wrote: >> >> > Hi! >> > >> > > Thanks for responding to this issue. >> > > >> > > Will calling getMetaData still parse and >> > > execute malicious code? >> > >> > If it's contained in phar and serialized data and the surrounding code >> > (I understand that most techniques mentioned in the article rely on >> > certain vulnerable code being present) then yes. >> > >> >> This issue was discussed in this list before. >> As long as PHP calls unserialize for phar metadata, object injection is >> possible >> which may allow malicious code execution. >> >> https://github.com/php/php-src/blob/master/ext/phar/phar.c#L607 >> >> I'm not sure if Phar metadata requires object or not. >> If not, Phar may use JSON. Or we may add safer unserialize that ignores >> object >> and reference for maximum compatibility. >> >> Something has to be done, since we wouldn't fix memory issue(s) in >> unserialization. >> > > Phar itself does not require object metadata, but users may have objects > in their phars' metadata. Using the argument from BC, we can't remove > object support. That said, I'd suggest we go about this in two phases: > > 1. Immediate mitigation. Invoke phar_parse_metadata only when explicitly > called for, via getMetadata. I believe hasMetadata and delMetadata do not > need to unserialize to answer their functions. This is, as I understand it, > Stas' suggestion. > > 2. Improve caller control on unserialization. Change the signature to > public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and > invoke the behavior similar to how unserialize itself works. Since all of > this problem stems from the use of untrusted content on the phar:// stream, > we should put into the caller's hands as much control as possible. > > If the above is reasonable, I'll create tickets for the work and put it up > at the top of my queue (right behind finishing the phar fuzzing PR). > Sounds good to me. Currently, it seems phar unserialize metadata always by phar_parse_pharfile() https://github.com/php/php-src/blob/master/ext/phar/phar.c#L664 This behavior is not nice. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --0000000000004bc6200586af9d1f--