Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105302 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 46991 invoked from network); 17 Apr 2019 07:45:16 -0000 Received: from unknown (HELO mail-pg1-f173.google.com) (209.85.215.173) by pb1.pair.com with SMTP; 17 Apr 2019 07:45:16 -0000 Received: by mail-pg1-f173.google.com with SMTP id 85so11406553pgc.3 for ; Tue, 16 Apr 2019 21:44:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mm4f/Jd1uJngP7xHGHAqkRAybncccqibVQHzS4aOWEk=; b=OYagQQS0La3tdH7yXmefda4wtdayCjn5cL0qiPg8YAqXGnWvsnlI/OJX0jOp2aDwEt tClDoztGmvv9BuUdIbTewEEItjYyNUJpfucaXdRirFY9Gv8A1/jP9G0ASyrb58yDElSm mVUv7TVBLrtBMO3R4OSDthMB8FIBA/wQYk0JAiqAvw42v9oPC/vdgAekiMCehO3/41wT HLMNhrM+erfjSPIOpFsYGzfknXUmlswhpqU2Vct9d+RTWxEC+u/3dHnu6iLzEOAsbcf2 vtfSvuQUF3snKs14PA24h5NvsPeEZDsEhp65Y4SReVtQipng+9IFP0+1ZcywdfRFhGjj swKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=mm4f/Jd1uJngP7xHGHAqkRAybncccqibVQHzS4aOWEk=; b=QDnh9zX6S/RrsHYvPivef7Wwhy+p3AQk74nq7JIi8F/wTPiKHOQPhpGZQHqTo+PImz xqvtA079qi+5JYM0ALslNteUv8wUubDnvHewbSMGIzkbKlwXnayLnAefzdTcjdQgrUH+ lbQHQheNKO4ooCITQcIKwyeQLNfe1ljVrayf4bv7eNAPB0MAdB6+wSc3tWt/Q5Ngz04z ZCWvNsHeDI/7K5NA+dqucWjK7N51spEHsatMaLMW7PN3uSxTDoayw0itINNe+3tg0poN hfRh8nGTWRQdIR6rAHyKRvkjey8og9iiR0YmqHmORDDigvysF8uqsSX9RVEgz08eOFcx nW4w== X-Gm-Message-State: APjAAAVeFXi6OfsH2N/efgKZfJP/7XRrD5DYzE/0MeSzdTsey2nR/RTZ GboZITd9pY1vuZyRxRWiEBVJML3/yQ== X-Google-Smtp-Source: APXvYqxda9/tTNn0163vIFUZfj//y9ryxUAyYx1HQPSs/ouVtP8IqfoIqCLmxbOaRGyUmZZRpM+WNA== X-Received: by 2002:a62:2fc7:: with SMTP id v190mr26924707pfv.10.1555476243727; Tue, 16 Apr 2019 21:44:03 -0700 (PDT) Received: from Stas-Pro-2016.local (c-24-4-176-254.hsd1.ca.comcast.net. [24.4.176.254]) by smtp.gmail.com with ESMTPSA id f2sm73168990pgc.30.2019.04.16.21.44.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 21:44:03 -0700 (PDT) To: bishop@php.net, Yasuo Ohgaki Cc: Raymond Irving , PHP Internals References: <2e70065b-160b-7134-03ee-1a6025a6467c@gmail.com> <92b1b774-7c4b-555d-671e-d58c1054bd14@gmail.com> Openpgp: preference=signencrypt Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata= mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ 5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls LmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv vsZEj3E7i3h+iD5648YMwfTFCij+uQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK AGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw Message-ID: <3051b31a-574a-1d93-6fc4-99fa06da685a@gmail.com> Date: Tue, 16 Apr 2019 21:44:02 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP deserialization techniques offer rich pickings for security researchers From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > 2. Improve caller control on unserialization. Change the signature to > public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and > invoke the behavior similar to how unserialize itself works. Since all > of this problem stems from the use of untrusted content on the phar:// > stream, we should put into the caller's hands as much control as possible. This, unfortunately, is only a partial solution. As long as serialization format supports references - and they are likely not going anywhere - it won't be security, it's virtually impossible to secure code that can modify references while object is being unserialized. At least without rewriting whole unserialization code. If somebody undertakes this task, then yes, maybe it can be made secure (not sure even then). For now, unserializing insecure data is insecure, regardless of allowed_classes. Allowed_classes is just a barrier to block most obvious attacks in the wild now, but it does not guarantee safety. -- Stas Malyshev smalyshev@gmail.com