Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69464
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59383 invoked from network); 2 Oct 2013 18:40:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Oct 2013 18:40:17 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.217.180 mail-lb0-f180.google.com  
Received: from [209.85.217.180] ([209.85.217.180:63750] helo=mail-lb0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A3/1E-23255-F886C425 for <internals@lists.php.net>; Wed, 02 Oct 2013 14:40:16 -0400
Received: by mail-lb0-f180.google.com with SMTP id q8so1121772lbi.11
        for <internals@lists.php.net>; Wed, 02 Oct 2013 11:40:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=7EWbeMzkETnHBkQzOUtDezPqCbKT+q7silYqcy78fO4=;
        b=V/esnSliPMxO4rRwyMGdrHR91pt2tlXO45Kr3bzzDE14Wewi6eOioraPJW0xC+Ow1k
         IaJ66eR/22QWsGDCB2PTx25qvyxWiW+6c1D9LUW6GVBAnxpueO3jb8qacaW+yBMg13dh
         NreAg1uxsgiO2ZTdAgvU8DNDkZrbiN31AFAvyR39Vf88QDxYDBmBQeG4ZJLhSXQC9YRy
         ueZUFbHMTW0LkgJPiuoo3wWeKAcUbxQdOM8tnAVdQTNCAkdhCKB0VdvulYNoK2cs2kQU
         8UPzKV93OpbvXTrBr8o9zb2Dbxlgfjc0nutZQAOBHXqDpw3dKiZzjhbkUrfMKolt/zV1
         AfPg==
MIME-Version: 1.0
X-Received: by 10.112.50.109 with SMTP id b13mr2296546lbo.47.1380739212673;
 Wed, 02 Oct 2013 11:40:12 -0700 (PDT)
Received: by 10.112.133.202 with HTTP; Wed, 2 Oct 2013 11:40:12 -0700 (PDT)
In-Reply-To: <CALJZF3iFW95tw7JDk+G_-2FbgY6gTpUTWQvVy87EdtOmA7t0iA@mail.gmail.com>
References: <CALJZF3hq1FVTJUGwq9PAt+6joDhmuoXPR9Z8cxTPvafUmek9wg@mail.gmail.com>
	<CAF+90c--kSrsWAPr_p8J7KV=TsStSL4NL1GCKRDeyycdZxDWyg@mail.gmail.com>
	<CALJZF3iFW95tw7JDk+G_-2FbgY6gTpUTWQvVy87EdtOmA7t0iA@mail.gmail.com>
Date: Wed, 2 Oct 2013 20:40:12 +0200
Message-ID: <CAF+90c98XmsGjPHjGx9=4SNFoFgp98JFfRZTXDUx1bo62dzd_g@mail.gmail.com>
To: Michael Wallner <mike@php.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11336ce24c8c9b04e7c66600
Subject: Re: [PHP-DEV] HTTP supergloblas and request body/query (was: Parsing
 PUT data)
From: nikita.ppv@gmail.com (Nikita Popov)

--001a11336ce24c8c9b04e7c66600
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Oct 2, 2013 at 8:02 PM, Michael Wallner <mike@php.net> wrote:

> >> There are already parsers for application/x-www-form-urlencoded and
> >> multipart/form-data in the core.  One could think of providing an API
> >> to add content type handlers from extensions, ext/json may be an
> >> example, like it is hacked into pecl_http-v2.
> >
> >
> > I would *strongly* recommend against adding additional body parsers that
> are
> > automatically invoked based on the content type. Adding additional
> parsers
> > creates a high security risk. E.g. exposing ext/json as it is now would
> open
> > you to a denial of service attack (if I'm not mistaken). There has been a
> > long history of security vulnerabilities (both DOS and RCE) related to
> > unnecessary or incorrect exposure of request body parsers. A prominent
> > recent example are the RCE vulnerabilities in Rails caused by the
> exposure
> > of YAML and JSON parsers.
>
> Pointers, references, evidences?
>

The Rails RCE (remote code execution) vulnerability I'm referring to is
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ,
which is caused by exposing YAML and XML parsers. There have been several
subsequent vulnerabilities in this area, e.g.
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo,
which involves exposing a JSON parser that happened to operate on YAML
internally. You'll find that similar vulns turned up in various
webframeworks over time (one other case I remember off the top of my head
is a parameter parsing vulnerability in Apache Struts2 related to OGNL).

The DOS vulnerability that would turn up by directly exposing json_decode
as a body parser is the standard HashDOS vulnerability (which exploits
collisions in the array key hashing functions).

Even without exposing additional parser PHP already had its share of
vulnerabilities in this area (e.g. HashDOS and the subsequent RCE that its
fix caused).

I'm not saying that adding additional parsers is bad *per se*, I'm just
saying that you need to be very careful what you add here. The more
automatic body parsers you have the larger the attack surface becomes.

Nikita

--001a11336ce24c8c9b04e7c66600--