Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:66872
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53105 invoked from network); 31 Mar 2013 18:36:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Mar 2013 18:36:42 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:56557] helo=mail-ob0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CB/54-20307-93288515 for <internals@lists.php.net>; Sun, 31 Mar 2013 13:36:42 -0500
Received: by mail-ob0-f170.google.com with SMTP id wc20so1437699obb.1
        for <internals@lists.php.net>; Sun, 31 Mar 2013 11:36:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:cc:content-type;
        bh=ZwzDDvzRY8IucW+GyI3bxrAUgMaW35Te9PT9JFnb36U=;
        b=CSupvSdvI3Pph9F0q1M9NNlKXd+nDCJ/oDSa6GKsMQdCTmd3PJk3k5j5L7uVd8fc+9
         moL1ueB9CkK+7du7NbAIPzm5MAN1/M4qO5HGqRR8LqEnmJim23f00kO5cOJ+A2glD1By
         jVNuPDJJORNMazl6LrTN91zI8+GGRfCEQ2AZr1nO4OatGHMYG8CMhckzVY16OxohR99J
         /fWSBR+HtAQovxlcp4eNAGTka4y5petm9j6/plu9NanZoFzxGcibDPHiBC2UexXY9SO/
         Z9rpuZ8jpEpD+Z9DBnhUYxLWz0OuvevzaxZtyjADpU11fQpd0ozRAsoxT5l+lVUnR1zf
         gl8Q==
MIME-Version: 1.0
X-Received: by 10.60.0.129 with SMTP id 1mr3075644oee.5.1364754999023; Sun, 31
 Mar 2013 11:36:39 -0700 (PDT)
Received: by 10.182.49.136 with HTTP; Sun, 31 Mar 2013 11:36:38 -0700 (PDT)
In-Reply-To: <5157AD1D.3020606@sugarcrm.com>
References: <5157A55A.1070507@sugarcrm.com>
	<CAAyV7nGtz94NaFdeQ4KL9X3_LX-dc=zbt35o=qoqd1zWGTFgaA@mail.gmail.com>
	<CAL+t6cF_pzrQtNSYMjCmxhm67QtbfhpEUiWx4xGWxAJpafrwkQ@mail.gmail.com>
	<5157AD1D.3020606@sugarcrm.com>
Date: Sun, 31 Mar 2013 20:36:38 +0200
Message-ID: <CAF+90c_BGKiRsNEk+JD15Pr2oSSR=NShkf-wFsZp2497J-RMhw@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Sherif Ramadan <theanomaly.is@gmail.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=e89a8fb20486ec6b3004d93cc89e
Subject: Re: [PHP-DEV] [RFC] more secure unserialize()
From: nikita.ppv@gmail.com (Nikita Popov)

--e89a8fb20486ec6b3004d93cc89e
Content-Type: text/plain; charset=ISO-8859-1

On Sun, Mar 31, 2013 at 5:27 AM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> > I think Stas proposes a solution to the problem and I think Anthony
> > proposes a viable alternative. I would say that Anthony has found the
> > shortest distance between the two points (the problem and the solution),
> > however.
>
> The fact is that people do use serialize() for data that may be
> accessible by the user


Yeah, well, the people who do that are also the ones that are unlikely to
make use of the new parameters to secure themselves. In order to make them
use of the new feature they have to be explicitly educated about it and in
that case we can just as well educate them to use json_encode. In that
regard, I don't think this proposal is particularly useful.

JSON and serialize() are (inherently) different serialization formats with
different use-cases. The former is rather restricted and as such safe to be
provided by the user. The latter on the other hand aims at exactly
replicating the structure. Using the latter format for the former task is
in any case a bad idea. It's not like unserializing objects with dtors is
the only issue that can turn up. serialize() also supports references and
object-references, so one could probably use it quite easily to trigger
some kind of infinite loop/recursion in the application.

So, I personally don't see much value in this addition. Rather it could
provide people an excuse to use the function on user-provided data, which
is, as already mentioned, a bad idea. Even with this additional protection.
Also I'd like to point out that unserialize() in the past had a relatively
large number of different security vulnerabilities, so one should really,
really not trust it with data of unknown origin. Internal classes can quite
commonly be made to segfault with specially crafted serialization input.
E.g. the user might think that, hey, DateTime is a safe class, let's allow
unserializing that. Sounds legit doesn't it? Then let's remember those
various serialization bugs that were recently fixed in DateTime (or the
related classes, didn't really look at it). And then we would have a
potentially exploitable segmentation fault :)

Nikita

--e89a8fb20486ec6b3004d93cc89e--