Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:12602 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97414 invoked by uid 1010); 6 Sep 2004 05:46:28 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 97380 invoked by uid 1007); 6 Sep 2004 05:46:28 -0000 Message-ID: <20040906054628.97379.qmail@pb1.pair.com> To: internals@lists.php.net References: Date: Sun, 5 Sep 2004 22:46:25 -0700 Lines: 26 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Posted-By: 64.142.6.231 Subject: Re: unserialize() data from untrusted source From: pollita@php.net ("Sara Golemon") > Have a situation where I want to unserialize a string received from an > untrusted source over HTTP (a Javascript client in this case). For > basic types this is no concern but when it comes to objects, would be > nice to be able to restrict the class of object to a member of a known > list, to prevent "unplanned objects" being created from classes which > happened to be defined but were not intended for unserialization (such > as the growing number pre-loaded classes in PHP5), and the possible > security issues that might introduce. > if (preg_match_all('(^|:|\{)O:\d+:(.*?):', $serializedString, $matches, PREG_PATTERN_ORDER)) { /* Serialized data contains objects */ foreach($matches[1] as $match) { $class = trim($match, "'\""); if (in_array($class, $bad_classes)) die("Bad hacker, no cookie for you!"); } } Something along the lines of the above should do the trick, it's got some shortcomings, but they're the type to give false positives rather than act as security holes..... Though considering the fact that it'd be more trustable/reliable to implement in unserialize itself and not a complicated check to include anyway, I'd say "sure, why not".