Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:66869 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 16972 invoked from network); 31 Mar 2013 07:59:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2013 07:59:29 -0000 Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) Received: from [173.1.104.101] ([173.1.104.101:58414] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/D0-11675-FDCE7515 for ; Sun, 31 Mar 2013 02:59:27 -0500 Received: from localhost ([216.220.114.66]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id QKM47125 for ; Sun, 31 Mar 2013 00:59:25 -0700 Date: Sun, 31 Mar 2013 03:59:03 -0400 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <1853687623.20130331035903@cypressintegrated.com> To: Stas Malyshev In-Reply-To: <5157CCAE.9050902@sugarcrm.com> References: <5157A55A.1070507@sugarcrm.com> <5157AD1D.3020606@sugarcrm.com> <1976271560.20130331010438@cypressintegrated.com> <5157CCAE.9050902@sugarcrm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] more secure unserialize() From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) >> And what about automatic un/serialize() of objects in $_SESSION? >> People don't even see those function calls in their code, so dropping >> the function/ality would be a wildly drastic move. > Nothing about it, the change is for unserialize() function. OK. I thought of this as one core security issue with multiple possible ways of getting a payload to the internal (C) unserialize code. (If not, guess I could draw up an RFC for the other vector.) It is harder to inject arbitrary objects into session storage than to exploit blind-request-variable-unserialization type stuff (though the latter can be a stepping stone to the former). But the potential payoff in $_SESSION is so huge, I think having "secure unserialize" for sessions is fully justified. Otherwise you're saying "I can't guarantee objects with killer wakeups/dtors were not injected via one of the apps on my server, and I have no way to stop them from instantiating magically provided they get through the right way." > We have to get away from mentality of "if we need to modify some > behavior, we just put a variable in global state to control it". > Global state is the last resort, not the first one. I guess it could be another argument to session_start() instead. -- S. P.S. Sure you'll shoot down this idea as well, but I think it would be good if Filters had a corresponding validator, such as: FILTER_VALIDATE_UNSERIALIZED: detect strings in PHP bytestream format. Flags FILTER_ALLOW_SERIALIZED_SCALAR, FILTER_ALLOW_SERIALIZED_NONOBJECT to fine-tune. Otherwise, if you are still expecting bytestream format from the client and want to detect tampering on input, you have to write a best-guess regex to try to differentiate between 'Some:free { text; }"' and 'O:8:"class":0:{}' and 'S:12...' etc. .