Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105301 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 44930 invoked from network); 17 Apr 2019 07:41:58 -0000 Received: from unknown (HELO mail-pl1-f195.google.com) (209.85.214.195) by pb1.pair.com with SMTP; 17 Apr 2019 07:41:58 -0000 Received: by mail-pl1-f195.google.com with SMTP id w23so11409202ply.4 for ; Tue, 16 Apr 2019 21:40:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=D7xpX8iG7EO6EQxkXT6j3ggQx4CuwDmsCBmSKNHVncM=; b=n/uzk8MUguOVjU4UdMLcAUy4f0LJbDUwwV/4pRqKu0ON8jgmx0H14U+3HT6ce+zkty AVl0DQ0Ga3qSt2PsNaVr+QvJ9F4vZxm/b+9vliydRt3aBR7KpdDrk5ZTi4OqHvmYVYB+ 2lNOkw2/3madwsPd4hk/0cat/WAUElaYiWwLlr5mMIhfl4vxWyqOtJ+/Etwaow5IM96f QbQ/yA/Xcvh9E9WJLhqBgHFLFiYZZ3fCe9up5P5ll7kZ557tYBQ1Q/1j7Cabwo7ZqCkN uolrUagu6dx5CobSU8WIkoEWL2jgnd+pluFdGXEebCU8oL9Ro03Q3sfIDHIxhQfjWb3j PgHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=D7xpX8iG7EO6EQxkXT6j3ggQx4CuwDmsCBmSKNHVncM=; b=IfluElfwvBkPnhPgW5hLYtr/5RCcU+UjoZJWtOX7QS48Aq2Fj4ptt+kufNtuJ2K3dp hsWPqJy72fLouuMhgsrnw/DhMGMmCaQeuOK/lydMK+k5vfbyLHd5Ij7xA1IIipNAbCaS gZFA73LsDx0PvkN13PNl82LBZzfiBz/HMz0k0aW/pJChIc4yNMBKf3nvOwldnStl+OKQ AQH77FXEKOIZlyvnvL8n+8KEwAFWOV1mN9RSHJIMhLkFwr49tq4dEbGNa3H5R3W8dqEy XG5q5dhTqKUobaVxwJdiGdyh3PWMOKTQRB61ClLTAQb7Qe8fY+jLqPCnsHknq3oT1tfy ODnw== X-Gm-Message-State: APjAAAWMMEiqTS8nkC6FqvBf23rdrqpAasAcv5mg74aBQ8bcFlETIjkZ sgcrt22h09Y562S9wwn72AtH8gSXYA== X-Google-Smtp-Source: APXvYqyViJKNu/kgRjng3KcbTqtf+r30YJPjy8W8LHpbP8BITHMF6MzM16+QfaB7SsDg2O17svlRGw== X-Received: by 2002:a17:902:2a6a:: with SMTP id i97mr31681713plb.273.1555476045350; Tue, 16 Apr 2019 21:40:45 -0700 (PDT) Received: from Stas-Pro-2016.local (c-24-4-176-254.hsd1.ca.comcast.net. [24.4.176.254]) by smtp.gmail.com with ESMTPSA id k1sm74478088pfc.83.2019.04.16.21.40.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 21:40:44 -0700 (PDT) To: Yasuo Ohgaki Cc: Raymond Irving , PHP Internals References: <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com> <92b1b774-7c4b-555d-671e-d58c1054bd14@gmail.com> Openpgp: preference=signencrypt Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata= mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ 5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls LmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv vsZEj3E7i3h+iD5648YMwfTFCij+uQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK AGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw Message-ID: <75084a02-3cb2-b732-a903-9f7afa230c8e@gmail.com> Date: Tue, 16 Apr 2019 21:40:43 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for security researchers From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > This issue was discussed in this list before. > As long as PHP calls unserialize for phar metadata, object injection is > possible > which may allow malicious code execution. Right. That's why I want to make it not unserialize this data unless it's explicitly being requested. > I'm not sure if Phar metadata requires object or not. > If not, Phar may use JSON. Or we may add safer unserialize that ignores > object > and reference for maximum compatibility. That would break BC with all existing phars that use metadata. -- Stas Malyshev smalyshev@gmail.com