Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:65557
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5518 invoked from network); 1 Feb 2013 18:04:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Feb 2013 18:04:35 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.133 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 67.192.241.133 smtp133.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.133] ([67.192.241.133:45864] helo=smtp133.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2D/37-41663-2B30C015 for <internals@lists.php.net>; Fri, 01 Feb 2013 13:04:34 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp13.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id DE2233D136D;
	Fri,  1 Feb 2013 13:04:31 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp13.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 92CF43D137C;
	Fri,  1 Feb 2013 13:04:31 -0500 (EST)
Message-ID: <510C03AE.2070903@sugarcrm.com>
Date: Fri, 01 Feb 2013 10:04:30 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Pierrick Charron <pierrick@webstart.fr>
CC: PHP Internals <internals@lists.php.net>
References: <50FC9AC5.9070407@sugarcrm.com>	<5106D92C.6020709@sugarcrm.com> <CAOfKkdR013mwtLqgEisnCg_t9n-OKBQeOAcqAmce+8wopbCcZg@mail.gmail.com>
In-Reply-To: <CAOfKkdR013mwtLqgEisnCg_t9n-OKBQeOAcqAmce+8wopbCcZg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [VOTE] CURLFile uploading API
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> I'm not against it but, just being curious, what are those security
> reasons ?

If you ever accepted serialized data from outside (say, after putting it
in a cookie or just having API that accepts serialization) and then
forwarded the same data array using cURL, the attacker could create
serialized representation of CURLFile that would make cURL send out a
file on your filesystem, which would be a security breach. Basically the
same security problem as with @, only with serialization involved. It is
not frequent case, but possible.

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227