Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:110871 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 39620 invoked from network); 8 Jul 2020 01:16:04 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 8 Jul 2020 01:16:04 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 35BBF18020B for ; Tue, 7 Jul 2020 17:06:53 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2014.outbound.protection.outlook.com [40.92.19.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 7 Jul 2020 17:06:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UK0x6cet63rV0bCX9NyYkm6xb5pFpLN8HIeT4ZBgDyXVg8EeLTEDpAEMaz6bQGt6MQXcvEy886yZlD+MoL+A1QJRdHjXSuBhMqhYNntUioplY2EFYlgLtt3HbFf7hJ+m8LGqZQlAP9PU/4jtM2XQJKFnFPGbnfTiiJNoHNst6QuLfp6D8lkMDHOQSJVSKQFkZgIMDlAWuwwgxzYIoPh7y/7tCdRCgG7o8r9NrTA5OoJFWUfVNDGiJnTBR8g5Vtw5DfHE9q5qoJFCGHSpIhY5ByZ5KinDQeRGqqQAHqx8DSRLASgETP2myMDcjUjH3I2trHaD14KOgNTuz1+DpmvJhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FppcgjuEkXrR8La6t+J8t31m5SWw8hlkxxwGi2H1dW4=; b=KGVBQjhTW7NlIo7rICYDc+fcK+UkqgcNuebcKjQ7yek9zZ5v+8QhUnlhabbAFdlu2AD5ggDnRLgXjr7xxPFZrjRKD7sBIm2PkCj/jzpDGOJEz8wqnpsurnzcIE8UfxvNpI+SczGDiTC5ul9aWTzH+JlJKVVHLxhLkx4AjMXzD0dS8zlQ/NrgZK7T71+Js9aILSKCZZmtpgksP+XNRd7XtEx42n/weXyYxI+vVqgS+rBU+Qd6U6h7h+iNP4MnWRa6bWf+erTbVXQcpdo5luP64SaG/WW2Z2NtmvM/BXmvYFCjaA8+DpdGMRinS7fUQS22YqT45B+cOJSfKhm2v3zzRQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FppcgjuEkXrR8La6t+J8t31m5SWw8hlkxxwGi2H1dW4=; b=eOa6YfdtLToOUgzajS8k0js86RKtyfLYUTewy9DzFQFxdDl/8Nb0i9j7xYxa3qKDpVk3GCVCzu79pc46KCn7ToGXtmuNwGvtEU1t/InRl4Ll22y8S535NYZcTnIWkT2Ip+TQJUBVDOMAuVF9naSnmVFF0zVkz3oWPTjwyyXdxIDYHX+0vepBOZTjPhVn4T0RU0L8wCw29J8Qr7dO6EN6X6mCPZr61wD7GfqNErlY6a82jeLF3gcHXKStOxvN39QtkZM9FnO9HRTpq+anWgdVrGAfX14Z3SB0dlvCo5zQQxNPjeODqFjDII5XNtQUEH83N5TC5uIQDFUKOldNAPxX0Q== Received: from BN8NAM11FT042.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4b::40) by BN8NAM11HT050.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4b::177) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.24; Wed, 8 Jul 2020 00:06:51 +0000 Received: from DM6PR07MB6618.namprd07.prod.outlook.com (2a01:111:e400:fc4b::45) by BN8NAM11FT042.mail.protection.outlook.com (2a01:111:e400:fc4b::341) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.24 via Frontend Transport; Wed, 8 Jul 2020 00:06:51 +0000 Received: from DM6PR07MB6618.namprd07.prod.outlook.com ([fe80::f0c8:f413:c7c1:e934]) by DM6PR07MB6618.namprd07.prod.outlook.com ([fe80::f0c8:f413:c7c1:e934%4]) with mapi id 15.20.3153.029; Wed, 8 Jul 2020 00:06:51 +0000 To: "internals@lists.php.net" Thread-Topic: [RFC] Don't automatically unserialize Phar metadata outside getMetadata() Thread-Index: AQHWVLp90COYmNzkwki/UeUuwn48GA== Date: Wed, 8 Jul 2020 00:06:51 +0000 Message-ID: Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:171E99D0CEC92794D01C034AFC047190F2CF8DCAFEC7C088A081A112D881FF09;UpperCasedChecksum:75962E14824038ECFB87EF2C0E3C7CBEEB325FC34E5C9E071C2368AE85EAC2DA;SizeAsReceived:6895;Count:41 x-tmn: [QYLiVkbnHRaYpvC5cDFfrWiPD5/cIbbHImLukBNjiabZjS13MurQpJzdEDIhcSD7] x-ms-publictraffictype: Email x-incomingheadercount: 41 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 6d4fc411-e8a6-4da1-ca5c-08d822d2d0dd x-ms-traffictypediagnostic: BN8NAM11HT050: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: zrBIhM+SWOd2sGzhtF+ZuGRYd8k8Kigo+DgrWnrteoWNPgePCbJokrpSqtdZ38d+QqreIh3z7DCb7P4zYV07s3eZfkEew3VbZJ8Vo+Eg5YTm1oFHXOUff5eBGIgS0p+FY0Nb+m0Y4f6HdopNjtp6IjeZNWoltta4qHO9hsjjaWaBO9ZAN9TIgGnWUarJjRRy7xcQnz+tGxTbdxim1W0T2H9Kn4X076I73clsuYJ2JbMc8SPMWkYtQHKEtlv9xbv0 x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR07MB6618.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901; x-ms-exchange-antispam-messagedata: CBhfp2ATbP0Rjo99UycOR4mzTl1re3Dvw0HtOVJBZBJLRwginsl8SeCMRB4JCnPUFohSSEiu+/LgDzhOqvrXyZQnKUqRgLeV3RhZ9DBoZPMrTv9s9htIRlIhJK5fD4cyLUCrKbqfxRlyRONUK0LaDdNIdua5FO4vog+99w7CApWGjj9r82a4WEuDofaAaAEJQJzp05R43IVpjNVwSsmluw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT042.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 6d4fc411-e8a6-4da1-ca5c-08d822d2d0dd X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2020 00:06:51.4218 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8NAM11HT050 Subject: [RFC] Don't automatically unserialize Phar metadata outside getMetadata() From: tysonandre775@hotmail.com (tyson andre) Hi internals,=0A= =0A= I've created https://wiki.php.net/rfc/phar_stop_autoloading_metadata as men= tioned earlier in https://externals.io/message/110856=0A= =0A= This aims to add the mitigations described in https://externals.io/message/= 105271#105291 , which seemed to be the most straightforward approach to avo= iding unexpected side effects of unserialization.=0A= - For a trusted phar, I wouldn't expect to need to unserialize metadata to = check for the file not being corrupt (e.g. there's a checksum, and people w= ould have tested the phar manually).=0A= - For an untrusted phar, I'd want php to avoid calling unserialize() when r= eading it.=0A= =0A= https://bugs.php.net/bug.php?id=3D76774 goes into more detail about the sec= urity issues this aims to fix. =0A= =0A= Thanks,=0A= - Tyson=