Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:110872
Return-Path: <bishop.bettini@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55729 invoked from network); 8 Jul 2020 03:05:30 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 8 Jul 2020 03:05:30 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5C01F18020B
	for <internals@lists.php.net>; Tue,  7 Jul 2020 18:56:18 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_20,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <bishop.bettini@gmail.com>
Received: from mail-qt1-f170.google.com (mail-qt1-f170.google.com [209.85.160.170])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  7 Jul 2020 18:56:11 -0700 (PDT)
Received: by mail-qt1-f170.google.com with SMTP id 6so8098025qtt.0
        for <internals@lists.php.net>; Tue, 07 Jul 2020 18:56:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=Xli0spbDRt6WoJR3+FiIJ4leqsgnKPTusmlZ2nrrUsY=;
        b=mG99fB/KW+oCNxLen8uSTAmt7ix4Zaz8BSHWf0bkKUB9fUws2E0ALk/inMAlx8n7y+
         gVJeacKBUVqYPiMcAhfXRe4SNhuk7GPD4ltVEAyzZxia9uar7pp3SeHagIhtE7v0enGo
         P986rxsT5tHIf/Cj/3b0nc5fW1IMaKm4vWDJ8azLKz1JRbuMYVd+ELkIbDLTUXMNR+51
         ZQXHhVECL05r3lLdn1PtK248Qzk4YzYGQFRPEIXSkk1D4w5mJK4fqrxKXd90176seOv+
         h7K7BUGp9uB8fW8o7KqwSv6xAMEhjo9w3tGj/P/EVzB9pngkrUannMMwarqzQqFOkUlo
         G9tQ==
X-Gm-Message-State: AOAM531eLH0ddluDK5gPpNEOH4WrwXBvdu4g3vquzE2QA7a/wZb8ZR5f
	VFfgavGGXmCqd2H84PYnh/+QF7ZmFHGDtytGwqY=
X-Google-Smtp-Source: ABdhPJzOCslSaiJbwF3/+cT0EuCeRBiUGh0VULvCbjtHXcCL28JDmfcSDLPdVOs2dbdAvQrEkcpf0V9JIjTceG6XpDY=
X-Received: by 2002:ac8:17d6:: with SMTP id r22mr59373927qtk.15.1594173369481;
 Tue, 07 Jul 2020 18:56:09 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR07MB6618AE5466C12EC544F527F7F9660@DM6PR07MB6618.namprd07.prod.outlook.com>
In-Reply-To: <DM6PR07MB6618AE5466C12EC544F527F7F9660@DM6PR07MB6618.namprd07.prod.outlook.com>
Reply-To: bishop@php.net
Date: Tue, 7 Jul 2020 21:55:33 -0400
Message-ID: <CAEYWF=4hStv1erow6ZLAXvRHCrxiVrQMR8ZqgTznciePjBKcug@mail.gmail.com>
To: tyson andre <tysonandre775@hotmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000065feee05a9e4695a"
Subject: Re: Including "Disable the ability to use concrete types in PHAR
 metadata" in PHP 8.0?
From: bishop@php.net (Bishop Bettini)

--00000000000065feee05a9e4695a
Content-Type: text/plain; charset="UTF-8"

On Mon, Jul 6, 2020 at 8:58 PM tyson andre <tysonandre775@hotmail.com>
wrote:

> Hi internals,
>
> https://bugs.php.net/bug.php?id=76774 has been open since 2018-08-21.
>
> That ticket proposes the following:
>
> > I propose that we disable the ability to have concrete types included in
> the serialized metadata by
> > providing an empty classlist to the unserialize call in the PHAR package.
> > This will support the real cases we see in the wild of metadata usage
> which is only array key values.
>
> A major change such as PHP 8.0 seems like a good time to disable this.
> (but it seems safe enough for any minor version)
>
> Various blog posts have been written explaining the resulting
> vulnerabilities,
> such as
> https://www.ixiacom.com/company/blog/exploiting-php-phar-deserialization-vulnerabilities-part-1
>
> This change was previously proposed in
> https://externals.io/message/105271#105303
>
> > Bishop Bettini wrote,
> >
> > I agree that $allowed_classes is a partial fix.
> > But is it not better to incrementally add defensive layers?
> >
> > I'll get to the immediate mitigation after I finish my phar fuzzing work,
> > unless somebody beats me to it.
>
> I'm in favor of adding the defensive layer, and could probably implement
> the immediate mitigation if needed.
>
> Thoughts on whether this needs an RFC? Has anything changed since that
> email thread? There seemed to be some debate over implementation details,
> but most responses considered the existing unserialization behavior
> problematic.
>
> - If it did, this may need to start less than two weeks after finishing an
> RFC, due to the feature freeze in august 8th.
>

Thanks for raising this.

I agree that 8.0 is a great time to fix it. While I see this as a design
oversight rather than a new feature - and don't think it requires an RFC -
the RFC provides welcome visibility into the pros and cons. So, +1.

I've been working on an IMAP issue for some time now[1], and Phar work has
been sidelined as a result. Fortunately, the fix is straightforward and I'm
happy to work together to land this before feature freeze.

[1]:https://wiki.php.net/todo/ext/imap/xoauth2

--00000000000065feee05a9e4695a--