Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:111034
Return-Path: <tysonandre775@hotmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19596 invoked from network); 16 Jul 2020 05:21:02 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jul 2020 05:21:02 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D586B1804C6
	for <internals@lists.php.net>; Wed, 15 Jul 2020 21:13:52 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <tysonandre775@hotmail.com>
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-oln040092004032.outbound.protection.outlook.com [40.92.4.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 15 Jul 2020 21:13:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=iUpDH9osG2rYnNB12ijKEyu7fc9ljPexUHsEWitFMYf3hH5gYEz6wgADnvLlXkcFHp1JF7lIBX6ZZEMvcH0DSJUJFYuMuAJNIX9y6v1dNUWMvolCDlEE1+PfqSh7Yp1P0AnOqRm2YNHu6krP/04cW7cmIiBfaj/mtm0c/TEImbXU7iGwHCH7c1N+Cyh+7ZH3jsnhSQF5yfZogcNp7YfU2YkMTw6l1dYbo9mmekPqfzI54pheg6MRREpChe30mC5NkL0Zb8yqXGmuV9b42n0PvmwFH8nc0L/iV9y47NNQTrYwQykcqjrjh5BN+Vgi6E4JS8WZaGrm1Q2quzuJJ0zzQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=zbepBK+YPXhn0m15M25cIEZFZdCBhAuZZRttaRqgR2c=;
 b=dwTA7hQYj30vAjEa0BTAafwOreC3g60Z8sgYsqXJAtOhbiEcMxeMCPrs+QaCvyvvXdN424jGXCPtLFF6nMHB+DuI/1r3YgPcZEY71JkQRoofAzgV4tsvUpIfxO1cpEdd9PCXXXJHrhF4BOgH+Zy5il3mZR8XGCCXr2IUxkXEdQ+EN4+mSfCKRBGCOEeJZlUp/vLRnPSou570hgGbA4K2GMICGqSGaiNKPzqueoqBVh0RGMGE7TpddXBUwnBDkaXcEMQZfgFGovl7hSLiO5r2GfN9ub2TrMdWD1V4yAr2CBxYDPjNMU+RZpO5dTAxe8YMzCnjr5UcTaxAHUnm7gOL9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=zbepBK+YPXhn0m15M25cIEZFZdCBhAuZZRttaRqgR2c=;
 b=Q3DWEbToakCQnWZc8WyqP9ZIklbFVwxv4WRp4Sx77ypYC2+5Wkvp1iTbxd04y7Dkohh92+buRwMas++OEqF/oD+uDKyM5i1pQTMhXei0mbFRcRoyGXJEPMsDEO+QwdXWcQd/3lEaPUxuFCvavchqqthQpxUpCOhMi1EAjJITDOxCOHpNdClHHrvesq6AX+9ZbUONZUShKdfSUWlv1DaQ9DossPw5LghXxeV3Ir/qmXk5CsIG3gKDfi76u6vN3LDyf4WrC0qLx3xPcn8DU0XdqUHcvd60ojWvg454MLNoVs/M5kF8YwW0u8FQpa3O/SOQ7EtSkYrkXk2uW6vXayYBcA==
Received: from CY1NAM02FT022.eop-nam02.prod.protection.outlook.com
 (10.152.74.57) by CY1NAM02HT028.eop-nam02.prod.protection.outlook.com
 (10.152.74.235) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.18; Thu, 16 Jul
 2020 04:13:50 +0000
Received: from DM6PR07MB6618.namprd07.prod.outlook.com
 (2a01:111:e400:7e45::40) by CY1NAM02FT022.mail.protection.outlook.com
 (2a01:111:e400:7e45::441) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.18 via Frontend
 Transport; Thu, 16 Jul 2020 04:13:50 +0000
Received: from DM6PR07MB6618.namprd07.prod.outlook.com
 ([fe80::f0c8:f413:c7c1:e934]) by DM6PR07MB6618.namprd07.prod.outlook.com
 ([fe80::f0c8:f413:c7c1:e934%4]) with mapi id 15.20.3174.026; Thu, 16 Jul 2020
 04:13:50 +0000
To: "internals@lists.php.net" <internals@lists.php.net>
CC: Bishop Bettini <bishop@php.net>, Stanislav Malyshev <smalyshev@gmail.com>
Thread-Topic: [RFC] Don't automatically unserialize Phar metadata outside
 getMetadata()
Thread-Index: AQHWVLp90COYmNzkwki/UeUuwn48GKkJnjCq
Date: Thu, 16 Jul 2020 04:13:50 +0000
Message-ID:
 <DM6PR07MB661860DF93DCF017448762B3F97F0@DM6PR07MB6618.namprd07.prod.outlook.com>
References:
 <DM6PR07MB661806D69A310B38A3E999C4F9660@DM6PR07MB6618.namprd07.prod.outlook.com>
In-Reply-To:
 <DM6PR07MB661806D69A310B38A3E999C4F9660@DM6PR07MB6618.namprd07.prod.outlook.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:
 OriginalChecksum:5207C491ED5BE3C2BC7F9479B2D5FC5CD6CBBF99BAEAA16DB782E421869AB6F5;UpperCasedChecksum:58F6B76E65257D14C6DB7D8E8F25DE098BC07A3C199E0A92E34D7E1C40CB481E;SizeAsReceived:7198;Count:45
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [YMedhRlYfnwB/vG8uTi/dpqdm6Wrjw6Y+cfXCFqPrUAFHT9YrvNVDSdDoYDwkdKG]
x-ms-publictraffictype: Email
x-incomingheadercount: 45
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 90dddea1-6ec9-4505-e759-08d8293ea4e9
x-ms-traffictypediagnostic: CY1NAM02HT028:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 X5pZalgv8K0VYfZ8RT3HW8/peR9fOkdiJ9kwXRT/qOv6EILVDtJCF6+ZH+JCbqT40iZgIySUc9NEfKcualnebDEjnUnhO2bWpE6gqI2D6eIN8xx0Z9RE1I1bCqrHk6VLRbTnJhMhi1OFFgCQ+jqg6BGWBg6bqHTq0TRysZm83XQokK5LyD218zeLqdYKhTWuUgpIQwk/1C9i0Cnp0ke1OhgwznCW4OE3+sCLLzevpK42RU6b5M6+PtOQYIqMa2A4
x-forefront-antispam-report:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR07MB6618.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
x-ms-exchange-antispam-messagedata:
 G71qEndImSe+77sf650eB5R/6OVQBMA32H3MS6xPFBdqMi9vjh+XMOsBN10E53xfrhyJWBPBWYCQZr5L439SgB1CSnVZ03uv01LRrcnJWBkRFXVLk/YUzyDFRgQ6WjIs9rfEsoIVPmvd+zrpZLCO3wj0I548Pn7ZurK4zfVCV6t3sEr9haL7RglWVdxX6Ke691u2RZU5afT1QlfJ06fJYw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: CY1NAM02FT022.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 90dddea1-6ec9-4505-e759-08d8293ea4e9
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2020 04:13:50.4109
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1NAM02HT028
Subject: Re: [RFC] Don't automatically unserialize Phar metadata outside
 getMetadata()
From: tysonandre775@hotmail.com (tyson andre)

Hi internals,=0A=
=0A=
I plan to start the vote for https://wiki.php.net/rfc/phar_stop_autoloading=
_metadata on 2020-07-21, in 6 days.=0A=
=0A=
I've created an implementation of this RFC that passes existing phar test c=
ases ( https://github.com/php/php-src/pull/5855 ).=0A=
If anyone has additional test cases, patches, fixes, or improvements (or bu=
g reports for this PR), I'd love to see them.=0A=
=0A=
This RFC proposes to not unserialize the metadata automatically when a phar=
 is opened by php (Previously, it did). It will make PHP unserialize the me=
tadata **only** if Phar->getMetadata() or PharFile->getMetadata() is called=
 directly. (as described in https://bugs.php.net/bug.php?id=3D76774)=0A=
=0A=
- I plan to add more `ZEND_ASSERT` assertions that persistent phars added i=
n `phar.cache_list` don't have temporary zvals (e.g. objects) created in a =
place where permanent zvals were expected. (probably by avoiding storing an=
y zvals)=0A=
  (and/or stop storing the results of unserialize())=0A=
- I plan to look into early returns if serialize()/unserialize() calls thro=
w a Throwable. This should not affect stream wrappers, only explicit uses o=
f metadata from Phar or PharFile objects.=0A=
- If any unexpected issues do get introduced here, I'd anticipate they'd be=
 limited to explicit calls from PHP to Phar or PharFile's setMetadata/getMe=
tadata/delMetadata,=0A=
  which should have less security impact than prior to this RFC, where `fil=
e_exists("phar://$untrusted")` can lead to a call to unserialize().  (see t=
he RFC for security concerns of phar stream wrappers )=0A=
- I'd expect that any unanticipated issues could be solved by the first rel=
ease candidate is released=0A=
=0A=
> I've created https://wiki.php.net/rfc/phar_stop_autoloading_metadata as m=
entioned earlier in https://externals.io/message/110856=0A=
> =0A=
> This aims to add the mitigations described in https://externals.io/messag=
e/105271#105291 , which seemed to be the most straightforward approach to a=
voiding unexpected side effects of unserialization.=0A=
> - For a trusted phar, I wouldn't expect to need to unserialize metadata t=
o check for the file not being corrupt (e.g. there's a checksum, and people=
 would have tested the phar manually).=0A=
> - For an untrusted phar, I'd want php to avoid calling unserialize() when=
 reading it.=0A=
> =0A=
> https://bugs.php.net/bug.php?id=3D76774 goes into more detail about the s=
ecurity issues this aims to fix. =0A=
=0A=
Thanks,=0A=
- Tyson=0A=