Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:66867 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4673 invoked from network); 31 Mar 2013 05:05:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2013 05:05:06 -0000 Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) Received: from [173.1.104.101] ([173.1.104.101:57593] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/61-28949-104C7515 for ; Sun, 31 Mar 2013 00:05:06 -0500 Received: from localhost ([216.220.114.66]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id QIK64002 for ; Sat, 30 Mar 2013 22:05:02 -0700 Date: Sun, 31 Mar 2013 01:04:38 -0400 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <1976271560.20130331010438@cypressintegrated.com> To: Stas Malyshev In-Reply-To: <5157AD1D.3020606@sugarcrm.com> References: <5157A55A.1070507@sugarcrm.com> <5157AD1D.3020606@sugarcrm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] more secure unserialize() From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) > This is not a good situation, and presently there are no way to > avoid it except dropping serialize() completely - which may not be > an option is some cases and in any case would require serious > changes to the production code. And what about automatic un/serialize() of objects in $_SESSION? People don't even see those function calls in their code, so dropping the function/ality would be a wildly drastic move. IMO, there's a minefield of "most surprise" to worry about unless you tread gently, as in your suggestion of an extra param. And probably want two optional PHP.INI settings: one for when unserialize() is called automatically (so you can't pass it anything), and one for when unserialize() is called in user code without a second argument but you want a default whitelist to be applied (say, to instantly "harden" a codebase and sort out consequences later). -- S.