Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:111121
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21187 invoked from network); 22 Jul 2020 15:44:35 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jul 2020 15:44:35 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5C51B1804C8
	for <internals@lists.php.net>; Wed, 22 Jul 2020 07:39:03 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com [209.85.167.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 22 Jul 2020 07:39:02 -0700 (PDT)
Received: by mail-lf1-f46.google.com with SMTP id i80so1433853lfi.13
        for <internals@lists.php.net>; Wed, 22 Jul 2020 07:39:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=e9GzhCF9suVFUEqmnFVVijahvF7WnUuNiaFKqPQ99OM=;
        b=oXwcal/24osu6CWaYjPEYHLnWLNfEhHtId56+B4AMi5WNtr6lIplr10SbPLCIyDjBL
         KLGp37MCArKPc9zvyqA6IDEln8BcizELDAyg7E3KbO2uX+nlkisGTNITwf1id/wVBmZ6
         WMwsV27RwPEz19XNHr3liv90x4+xeqiWVDLz4JqRagbjK7YTAYNuX3qbRCJeqPvZ49MO
         VAzL7YGBFjNt4ZVSKhlxY4Zq2kH72Vs/JK6E8dTjX7t+TQQuYkaeTW5OfZVB+mUqfrVn
         Axytdee9Hhj8HcdGLBx5DxTHQ02TnUZsm58kmqEvg/ZrHu65/v1dbykt4WAUEanw+8KR
         /KSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=e9GzhCF9suVFUEqmnFVVijahvF7WnUuNiaFKqPQ99OM=;
        b=AdBayPlGLB3dD4/eBR8q7H778m7ILY73s+bnq+A+0hq8AYB1BolDE0JykXPFuka9y1
         klkMSZfP2+qMQTzyMGmoduvHtFR6BcaJ6RsTD+6bacO4veMR82aOfBm7wELXucgyx+Bx
         88DJXsRPwt4k0dVuzLHi51dss7d/Y3aFje2dM7yaBgL41XgKEW94GLwmm59WzgNDixuN
         PuTSVJfBTG6xeSioyDexWgpGPdsYnI6ceg+Awt/On5sVmde6Y57CJ5WEmIrvRU9F6SXq
         NpTLBJFK/LDQD7fpqbaPULGoVsy/IdL/+b9MpWv520xdkzkTBfJKX9b655DfwdxxV4Zp
         n27g==
X-Gm-Message-State: AOAM530RXfCqGUDnkDXzq3yReSoD3KzU3o6TUbd51yjWXSuvDKHF3P4U
	xa+HtIozMmy115HSTsg/cU09h9zP//ld69vHc6g=
X-Google-Smtp-Source: ABdhPJwSjdaFPUAkvTm1YUsM2MNeZSO3hbDgLwfwiGy7cS0HEPG8WumlDTf78ZtkZqlvoiqZA0h+ihIkvUn/jctGCsY=
X-Received: by 2002:a19:2388:: with SMTP id j130mr15588173lfj.190.1595428737997;
 Wed, 22 Jul 2020 07:38:57 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR07MB66182B9F1879B64DA95FCFA6F9780@DM6PR07MB6618.namprd07.prod.outlook.com>
In-Reply-To: <DM6PR07MB66182B9F1879B64DA95FCFA6F9780@DM6PR07MB6618.namprd07.prod.outlook.com>
Date: Wed, 22 Jul 2020 16:38:41 +0200
Message-ID: <CAF+90c9TSRSu=xkdsqfwzwXj6g=Z1tL_XOvijWV=62VYzqG4-Q@mail.gmail.com>
To: tyson andre <tysonandre775@hotmail.com>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000003160df05ab08b37b"
Subject: Re: [PHP-DEV] [VOTE] Don't automatically unserialize Phar metadata
 outside getMetadata()
From: nikita.ppv@gmail.com (Nikita Popov)

--0000000000003160df05ab08b37b
Content-Type: text/plain; charset="UTF-8"

On Tue, Jul 21, 2020 at 3:37 PM tyson andre <tysonandre775@hotmail.com>
wrote:

> Hi internals,
>
> I've started the vote on
> https://wiki.php.net/rfc/phar_stop_autoloading_metadata
> as announced earlier in https://externals.io/message/110871
> ([RFC] Don't automatically unserialize Phar metadata outside getMetadata())
>
> This adds the mitigations described in
> https://externals.io/message/105271#105291 ,
> which seemed to be the most straightforward approach to avoiding
> unexpected side effects of unserialization.
>
> - For a trusted phar, I wouldn't expect to need to unserialize metadata to
> check for the file not being corrupt
>    (e.g. there's a checksum, and people would have tested the phar
> manually).
> - For an untrusted phar, I'd want php to avoid calling unserialize() when
> reading it through stream wrappers.
>
> https://bugs.php.net/bug.php?id=76774 goes into more detail about the
> security issues this aims to fix.
>
> Thanks,
> - Tyson
>

As a minor suggestion:

> Additionally, add an $allowed_classes parameter to both getMetadata()
implementations, defaulting to the current behavior of allowing any classes
(true). This will be passed to the call to unserialize() performed
internally.

Rather than adding an $allowed_classes parameter, I'd add a general
$unserialize_options parameter that just gets passed through to
unserialize. E.g. we also have a "max_depth" option, which also seems
potentially useful. This will ensure that any new limitations we implement
for unserialize() will also be available in this context.

Nikita

--0000000000003160df05ab08b37b--