Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75036
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33813 invoked from network); 22 Jun 2014 01:01:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Jun 2014 01:01:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.83 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.83 smtp83.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.83] ([108.166.43.83:54711] helo=smtp83.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FF/54-06324-20B26A35 for <internals@lists.php.net>; Sat, 21 Jun 2014 21:01:55 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp19.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 5741A1807B9;
	Sat, 21 Jun 2014 21:01:52 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp19.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id A2F981806CF;
	Sat, 21 Jun 2014 21:01:51 -0400 (EDT)
Message-ID: <53A62AFF.4080302@sugarcrm.com>
Date: Sat, 21 Jun 2014 18:01:51 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Ferenc Kovacs <tyra3l@gmail.com>, 
 Sebastian Bergmann <sebastian@php.net>,
 Marco Pivetta <ocramius@gmail.com>
CC: Julien Pauli <jpauli@php.net>, Remi Collet <remi@fedoraproject.org>, 
 PHP Internals <internals@lists.php.net>
References: <CAH-PCH6xEXspisLOHtiTbViA4vDTk7q6LM3t_Bh9Dzr1cj_Nag@mail.gmail.com>	<53A1C722.9060501@fedoraproject.org>	<53A21137.6010705@sugarcrm.com>	<CAMUwpuT_S2EE6cdJM95RzY4vmORGx3vJ9+gau8G3EZCMsNSydA@mail.gmail.com>	<53A2A9BD.1070603@sugarcrm.com>	<CAH-PCH5-vtCVvGvceMqt6rDXq4zo0Vb34cyDK3KdBUNfg_oLyg@mail.gmail.com>	<CADyq6sKQbV+Avzfs3OAdGM9Hc85i18t0LSATD6Rk=HjqKOMgBg@mail.gmail.com>	<53A3874E.20704@sugarcrm.com> <CAH-PCH6nSk0ir_TSjhCd0BVhiY5UsOsLKzqKhqfaU1G0ghi4Tg@mail.gmail.com>
In-Reply-To: <CAH-PCH6nSk0ir_TSjhCd0BVhiY5UsOsLKzqKhqfaU1G0ghi4Tg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Problems with the fix for the BC break introduced
 in 5.4.29 and 5.5.13
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> The original SplFileObject segfault can be achived without any
> unserialize trick, one can simply extend an internal class depending on
> it's constructor for providing the required initial state, and simply
> not call the parent::__construct() from the child:
> http://3v4l.org/fqFC6

Unserialize is a problem because unserialize sometimes deals with
external data, so if you can trick unserialize to crash, you may be able
to cause at least DoS, maybe RCE. Just some crafted code is less a
problem is this context.

So I'd like very much to find a solution which allows to eliminate
crashes in unserialize(). The question is can we do this without messing
up phpunit and so too badly.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227