Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128397 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 5337C1A00BC for ; Tue, 5 Aug 2025 13:23:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1754400103; bh=f2DVdoitcTrDaztEt7OFqC3a1fcg22Em1fTPu0WlTP0=; h=Date:From:To:In-Reply-To:References:Subject:From; b=KmYFa/q/qMOHub8/8Q4ePOQ+/zYAFcXo4X3Mt20XvqAwNQdaUiU8bInccav6ASs8U t1am31PjK4dIVxHt2PutMVFnfSa59bmzA0FRaUrCMQPj3kJyExZFQlc2WodPaz4GhA hIOHXEuGZu7WR/JPP0I8PQVQPPVUy5TxXA77bTzToyMSvbF/7YduM4ZYP7b1kK6OJ9 v1hYJ9B0p8iVmqtgBeErEGS8WwuJ3mPPAgLbyQJtY7erT9H/UWMb5y/QYyZ6KF3K+l Aukn6hMGABXpk1H35B/avYj2ZAP7FwTh1oEL/UFSUIxO0U/BhMozaOYIfeaDUtEVtI gkurFPnZKdmpg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E73441801D5 for ; Tue, 5 Aug 2025 13:21:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-3.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fout-b4-smtp.messagingengine.com (fout-b4-smtp.messagingengine.com [202.12.124.147]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 5 Aug 2025 13:21:42 +0000 (UTC) Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfout.stl.internal (Postfix) with ESMTP id 3F4451D000E1 for ; Tue, 5 Aug 2025 09:23:20 -0400 (EDT) Received: from phl-imap-02 ([10.202.2.81]) by phl-compute-10.internal (MEProxy); Tue, 05 Aug 2025 09:23:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= garfieldtech.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to; s=fm3; t=1754400200; x=1754486600; bh=t8EDTEFfHRmMX8kgbjPuy Y/pyH2pLqv06fI8ncLYXYQ=; b=4qlfiCV8UU2trqhso+IcioPKpeAAbZHQuENGt sP2COrd+EE/zPsKzDPvD3LFBkr5QCw5ct0DtNDVU+ucLlDl7fqos5Gr89O30Zl9V ksHxzArVtSCumh0LcN1Me5o6It95Cj0t/g23ok1o0YFVqt0gE/zFfx3cI3bR/auZ +bPqx8MaLXpmX4xI4i1hHGnFG14aoGgKLv9CifCjCwgafB91nZr4TszDJzeadRO6 Klsa33Ix4rbnEoTXA3l6IjXfCFVT/khCwrGTDjlGMQ/OcVQQzRhBSlrQqIZgZd/p Qq1DyKhGvicdRlAcBvdl1xs4iIlXnhjGaK6HIefeH5dBb07dA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1754400200; x=1754486600; bh=t 8EDTEFfHRmMX8kgbjPuyY/pyH2pLqv06fI8ncLYXYQ=; b=UvLNH4pl248samd7y pr5R4NnG32YR2mthW2WMza651xnDcaqes54krFlPy4aHYV2iLS6/H6m152R/s5RX fcQlnqNQ/Xaxh42jeAsMJUuPEaEljtArEdsEW3mFdKUSRJkzm307WG73h6itZXVg WZOOqu100T8qLLdFvKDA7Ugk36rKoaUuz7gcc6JnkGIYTl5eNJVCcN45lnnqZYw8 2PqktbmwBylAGAbgGPV6pVWJhTXCFenN8hlUEwb7lo/hHgyBarYDVMDIlOnHunBI m4NgGwMxgqZM2v4lNc8CvXGq7vEpHfd+YKEc/oOIriYwt0XstFvH+HB+2jEN2HLm iVipQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduudehvdekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhepofggfffhvffkjghfufgtgfesthejredtredttdenucfhrhhomhepfdfnrghrrhih ucfirghrfhhivghlugdfuceolhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrdgtohhmqe enucggtffrrghtthgvrhhnpedtleekveekvedvhfefleejteethfeffedviedtveejvedu vdfgudektdevvdehfeenucffohhmrghinhepohifrghsphdrohhrghdpghhithhhuhgsrd gtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep lhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrdgtohhmpdhnsggprhgtphhtthhopedupd hmohguvgepshhmthhpohhuthdprhgtphhtthhopehinhhtvghrnhgrlhhssehlihhsthhs rdhphhhprdhnvght X-ME-Proxy: Feedback-ID: i8414410d:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id B801C700069; Tue, 5 Aug 2025 09:23:19 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: list list-help: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: Tb5936f1f1b64d069 Date: Tue, 05 Aug 2025 08:22:59 -0500 To: "php internals" Message-ID: <795f25eb-3339-4e80-b920-2a336b8b6091@app.fastmail.com> In-Reply-To: <929642ac-2628-4bdb-acbd-7268231a6e41@app.fastmail.com> References: <929642ac-2628-4bdb-acbd-7268231a6e41@app.fastmail.com> Subject: Re: [PHP-DEV] allowed_classes_callback option for unserialize() Content-Type: text/plain Content-Transfer-Encoding: 7bit From: larry@garfieldtech.com ("Larry Garfield") On Tue, Aug 5, 2025, at 4:14 AM, Casper Langemeijer wrote: > I'm writing a this email to propose adding allowed_classes_callback > option to unserialize(). > > The class name as parsed from the serialized string is passed as a > parameter to the callback, it should return a boolean. true would allow > the class, false would block it. This blocks classes the same way > 'allowed_classes' would, but by callback instead. The callback will be > triggered *after* allowed_classes is evaluated (if present). Blocking > will have the same effect as allowed_classes, using > __PHP_Incomplete_Class. > > This callback would solve a few problems where allowed_classes is not > sufficient: > > - This would also allow for fixing legacy applications where it is not > exactly clear what is being unserialized. In my use-case the callable > returns a true value but a E_USER_DEPRECATION is triggered. This way > data can be collected about what classes to allow through monitoring > these deprecations, providing a non-disrupting way to secure > unserialize calls. This is especially helpful in very generic > unserialize usages like caches. > > - It would allow for an is_subclass_of() check where for example an > interface can be added to classes that are safe to get unserialized. > Current allowed_classes array only matches the exact class, not it's > children. > > Note that these problems are not resolvable by using > unserialize_callback_func because that call only happens for unloaded > classes, where the PHP Object Injection vulnerability > https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection > affects classes that might already have been loaded. > > In de pull request Jakub wrote: >> Personally I don't see any issue here and it seems quite self contained and small so I wouldn't mind to get it merged without RFC. It might be worth to email internals first to double check that there are no objections first. > > Out of scope: I understand that __PHP_Incomplete_Class is not very > 2025. Adding an option throw_for_unknown_classes has been suggested on > this list. I'm happy to implement that, but for now I'd like to keep it > at allowed_classes_callback. > > Feedback is very much appreciated. > > The change and some more details live here: > https://github.com/php/php-src/pull/19087 I am not opposed to this, but I would like to see it go through an RFC. --Larry Garfield