Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:66870 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32977 invoked from network); 31 Mar 2013 12:04:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2013 12:04:53 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.182 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.220.182 mail-vc0-f182.google.com Received: from [209.85.220.182] ([209.85.220.182:52938] helo=mail-vc0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/81-20307-56628515 for ; Sun, 31 Mar 2013 07:04:53 -0500 Received: by mail-vc0-f182.google.com with SMTP id ht11so1639365vcb.13 for ; Sun, 31 Mar 2013 05:04:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Zlga2COSgDpwapnkZcauo/cuVNbFKvmzym7V555PObs=; b=tVHTBkFtXGAIjUtVj/h35W8+7K3zeXkoabOT26Bqqr/qGK9/TkFmfGnfxqzgCoTLbH uXcnNBEd/5D8keQqmoyq9R0RMiaZ8Cu+VlJi6HijiZZ1zvW3/SkGTeiGUuFCz6Kp0MLB vfLxeqiLE+fzjzjuMJw14zqLdyyAULlQNNnWExRZXZWGOlgLXQX7BgaEj4XFoI3EZpP/ CnqGvXGSvclToPbckAoQAmimb/ES+BSz2s2lNlF4MNjM33l31TxNA1Mrm5leKZqSNHT8 M5dfOk7RXuGT6QDn2sdq2FIT30YxBmEjOW3Bza7RdAOACwgY3H7/8+Fz58tnm9imqWrF 7XJQ== MIME-Version: 1.0 X-Received: by 10.58.144.133 with SMTP id sm5mr6541034veb.23.1364731490594; Sun, 31 Mar 2013 05:04:50 -0700 (PDT) Received: by 10.58.156.103 with HTTP; Sun, 31 Mar 2013 05:04:50 -0700 (PDT) In-Reply-To: <5157AD1D.3020606@sugarcrm.com> References: <5157A55A.1070507@sugarcrm.com> <5157AD1D.3020606@sugarcrm.com> Date: Sun, 31 Mar 2013 08:04:50 -0400 Message-ID: To: Stas Malyshev Cc: Sherif Ramadan , PHP Internals Content-Type: multipart/alternative; boundary=047d7b675b26b5ff0a04d9374fe2 Subject: Re: [PHP-DEV] [RFC] more secure unserialize() From: ircmaxell@gmail.com (Anthony Ferrara) --047d7b675b26b5ff0a04d9374fe2 Content-Type: text/plain; charset=ISO-8859-1 Stas, The fact is that people do use serialize() for data that may be > accessible by the user (or made accessible by unrelated security issues, > which may be upgraded in severity by this - e.g. from SQL injection to > persistent code backdoor on the server). There are many ways to do > things differently, and they are known. However, as I said, the fact is > people do use serialize() and may not even realize the data aren't as > secure as they are. That's why many security tools flag any object with > dtor in application using unserialize as insecure. This is not a good > situation, and presently there are no way to avoid it except dropping > serialize() completely - which may not be an option is some cases and in > any case would require serious changes to the production code. > > This enhancement is to fix this problem. It is not to change best > practices or give advice on how to write the most secure system - it is > to make existing code more secure easily. I definitely see your point, and don't disagree with it at all. Again, my concern is that people will then be tempted to use serialization to the client as it's "safe" (with these modifications). Which I think we should discourage for new code.... So what if we did this: We implement your RFC, but also put a warning in the docs that serialize() shouldn't be used in places where a user or third party can modify the output (to use json_encode() for those areas). That way we're not encouraging serialize to be used in places it shouldn't, but also give those with legacy codebases or really awkward use-cases the ability to be "more secure"... Thoughts? --047d7b675b26b5ff0a04d9374fe2--