Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69598 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94694 invoked from network); 17 Oct 2013 07:27:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Oct 2013 07:27:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=j.boggiano@seld.be; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=j.boggiano@seld.be; sender-id=pass Received-SPF: pass (pb1.pair.com: domain seld.be designates 209.85.223.171 as permitted sender) X-PHP-List-Original-Sender: j.boggiano@seld.be X-Host-Fingerprint: 209.85.223.171 mail-ie0-f171.google.com Received: from [209.85.223.171] ([209.85.223.171:37738] helo=mail-ie0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6D/F0-22512-D519F525 for ; Thu, 17 Oct 2013 03:27:28 -0400 Received: by mail-ie0-f171.google.com with SMTP id tp5so3351559ieb.30 for ; Thu, 17 Oct 2013 00:27:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=S+6TOQiAMdcvcbrc2SKSKEGbXT55we24IRZfHQdLpVA=; b=jk1dThCiuBSJF/No49gUmZBonymi5a+siT9iSjXXTCuWkheLvGAsVhaCJIROm9FnJ4 zZLZwbTk5OzQFEMCYG2YzOw4ibGYgABC4Z8ycrAqmokKEX0L5hnYjbEhn9JwC9LYrk6L woz56YrGp3mnheULMrXdg/X06HGwEmn9kdVU4xnk73ADHnDmnHGZKvrOhhJSDHH8WDF/ gBkHdpxm9hMsBxdAIOWOTrNw1sqUUVPY3/UzcKYDRZ+CAWaPdJu7Wb9UNfHmgPuorGCM gZLN5tFh4js4lkH+hmcJrMNQoz3VPE8vljHVmoelcEuBEjm/pOk5FTgFlU9liCgAst3l oFMQ== X-Gm-Message-State: ALoCoQmiMP+I/pscCBASEKuuPZBb5Uud8PZr0hE7UDr6RWDc4egzQJqgJs3BDJDbwrwNzxaH/q6n MIME-Version: 1.0 X-Received: by 10.50.21.6 with SMTP id r6mr25116227ige.44.1381994843677; Thu, 17 Oct 2013 00:27:23 -0700 (PDT) Received: by 10.64.208.71 with HTTP; Thu, 17 Oct 2013 00:27:23 -0700 (PDT) Date: Thu, 17 Oct 2013 09:27:23 +0200 Message-ID: To: PHP Developers Mailing List Content-Type: text/plain; charset=ISO-8859-1 Subject: Validation of class names in the autoload process From: j.boggiano@seld.be (Jordi Boggiano) It has come to my attention that it's possible to abuse some autoloader by trying to autoload class names like "Foo\Bar\..\..\uploads\exploit.php" for example, which could be transformed to src/Foo/Bar/../../uploads/exploits.php, and then would require that file. Obviously the code would most likely end up in fatal error because the class is missing, but the file still gets required. This would be possible if for some reason you use unvalidated user input to create class names which I know I have done myself in APIs to deserialize POSTed data to a class Foo\X or Foo\Y for example. There are different ways to handle this, but the way I see it it would be best handled at the php core level by simply preventing classes containing dots (and possibly null bytes and other chars?) from ever reaching the userland autoloaders. The other alternative is for every autoloader out there to protect itself, inducing perf penalties and having most autoloaders being vulnerable. It's a slim vector perhaps but a valid one nonetheless, and I think it can be fixed at the source without any BC issue since the only way to use classes with dots right now is to use stuff like class_alias() to define them and then use them through strings/var names consistently, which sounds so painful I can't imagine why one would have ever done so. Cheers