Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:67086
Return-Path: <admacedo@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54626 invoked from network); 15 Apr 2013 14:27:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Apr 2013 14:27:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=admacedo@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=admacedo@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.178 as permitted sender)
X-PHP-List-Original-Sender: admacedo@gmail.com
X-Host-Fingerprint: 209.85.223.178 mail-ie0-f178.google.com  
Received: from [209.85.223.178] ([209.85.223.178:59809] helo=mail-ie0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/62-36222-A4E0C615 for <internals@lists.php.net>; Mon, 15 Apr 2013 10:27:22 -0400
Received: by mail-ie0-f178.google.com with SMTP id bn7so5976274ieb.9
        for <internals@lists.php.net>; Mon, 15 Apr 2013 07:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=YMCU7u+EhaKtzMpfQ8Cbr6VvFvH7cwUgzt1yxCe4x3o=;
        b=q7W5Y0HLN7gSF8LYRd3la7a6zO2RYyyBVaNwrd6B6MiHpwFXSSqgC4RKPvUDshoPbG
         +ieFP5Dc+Oj8PPXZsWN/FykozbC7DUU2uWOvzeVZikvLmpOzgNYVEsZ+y1bbE+V0VnUy
         44l32uenyLFKnK7hv8iaXH7eo6G8kown7uT1YVUFgR22TZfkLt8GdZV+bMV6ZkfQYZHZ
         uk6PeTcPS6qkdPtDiaadvhEqTSk5kcuTvIgVDv/X8QCkTW25uic1Wgy2ptH7n4MxkqAT
         CK9WY1MbqRcf6AYQrgi+T2UM3905Du73zlniU6FMmQUA7FgK5b1MA9rdkLIMWgA4+jp0
         /h5w==
X-Received: by 10.50.11.229 with SMTP id t5mr5312843igb.65.1366036039119; Mon,
 15 Apr 2013 07:27:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.43.175 with HTTP; Mon, 15 Apr 2013 07:26:38 -0700 (PDT)
In-Reply-To: <516C0601.7060003@cubiclesoft.com>
References: <CABBJUpepz+TU-Y6oFkpv9sJ84-Rtf_yrXPN=KpVTMBmK2ZMsFw@mail.gmail.com>
 <51647536.6030108@sugarcrm.com> <CAGbiJu-qg8d4pdYQyeDTwE=dPPzmSjXZUwqRtz7jOSoYsx3L3Q@mail.gmail.com>
 <516489F1.70106@lerdorf.com> <CABBJUpcrVNOAqT7jRz2q1CkTa6zt_Be0-Hy-9AuZZvHx6Q9erw@mail.gmail.com>
 <516C0601.7060003@cubiclesoft.com>
Date: Mon, 15 Apr 2013 15:26:38 +0100
Message-ID: <CA+yzxZivCtgryo0+iA9K+nDy6ZNtquUOXa-HrE-H=8fm4FHukw@mail.gmail.com>
To: Thomas Hruska <thruska@cubiclesoft.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=e89a8f646d15dcbb7804da670c77
Subject: Re: [PHP-DEV] [PROPOSAL] add a leading backslash to classname when serializing/var_exporting
From: admacedo@gmail.com (Daniel Macedo)

--e89a8f646d15dcbb7804da670c77
Content-Type: text/plain; charset=ISO-8859-1

I've seen the usage of signing/hashing stored along side the serialized
data to prevent this sort of injection.

Still not 100% safe, but in case you really can't escape the use of
serialize, it's a start...


On Mon, Apr 15, 2013 at 2:52 PM, Thomas Hruska <thruska@cubiclesoft.com>wrote:

> On 4/14/2013 7:56 PM, Laruence wrote:
>
>> hey:
>>     thanks very much for all feedbacks.
>>
>>     so,  maybe we should document this instead of adding lead backslash?
>>
>> thanks
>>
>>
>> On Wed, Apr 10, 2013 at 5:36 AM, Rasmus Lerdorf <rasmus@lerdorf.com>
>> wrote:
>>
>>  On 04/09/2013 01:23 PM, Madara Uchiha wrote:
>>>
>>>> Well, why would you need to serialize an object in one version of PHP,
>>>> and unserialize it in another?
>>>>
>>>
> serialize()/unserialize() is a convenient, clean, and powerful data
> transport mechanism for PHP across many sessions and hosts.  Using
> serialize() and unserialize() is an addiction - once someone starts, it is
> impossible for them to stop.
>
> json_encode()/json_decode() can be useful for cross-language support, but
> they are much more limited.  json_decode() has the added natural benefit of
> not being as vulnerable as unserialize().
>
>
>  people do that all the time. They store serialized
>>> versions of stuff in databases and other backends and even send it
>>> across the wire from one machine to another, so it is quite common for
>>> something serialized in one version to need to be unserialized in
>>> another.
>>>
>>> -Rasmus
>>>
>>
> While updating the documentation, maybe also include some discussion on
> the dangers of unserializing data without first establishing trust? There
> was a discussion not too long ago on this list about PHP executing
> __destruct() of unserialized class data from untrusted sources.  Example
> recent exploit:
>
> http://packetstormsecurity.**com/files/118064/invision_**
> pboard_unserialize_exec.rb.txt<http://packetstormsecurity.com/files/118064/invision_pboard_unserialize_exec.rb.txt>
>
> --
> Thomas Hruska
> CubicleSoft President
>
> I've got great, time saving software that you might find useful.
>
> http://cubiclesoft.com/
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--e89a8f646d15dcbb7804da670c77--