Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75039 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96075 invoked from network); 22 Jun 2014 23:10:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Jun 2014 23:10:51 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.52 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.52 mail-qa0-f52.google.com Received: from [209.85.216.52] ([209.85.216.52:58825] helo=mail-qa0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 12/50-25208-87267A35 for ; Sun, 22 Jun 2014 19:10:49 -0400 Received: by mail-qa0-f52.google.com with SMTP id w8so5059139qac.11 for ; Sun, 22 Jun 2014 16:10:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+kWSwKK9wH5fYOFZhvi78Ngwska1R/AWf3+ftUmvVf4=; b=y70tPetIK9u5B9klIXdTp34gvHaaWM5SA7IPQGI9ZLAJI4qB4LdD7FKyYIP5q50cAQ FGHLC/0QMEPxlclQNqhn1cXuyQN9ADrhvYYVKrMYKg6c0X++cIONOS6ckj94aBG6YQCm h1aGxWfOkE5s+7eRVjsXUTrsH+67OK90QbSQ3oTqE0KhHA8yNlYXbJjhYd7Mq7Di7cAV a14F8rQwCJgJeZma9uvbkrO66lWhWYWLMT/TCD4vaRX6ZT68EbAU5mcDGOh0OLNq/VF/ IWgVLaj5vvTI4Wfz3kgTYx0zSDQYZtGbhJix3vo5v74+f6mb2h8JZdF89BsfwvnVLVsP IxVw== MIME-Version: 1.0 X-Received: by 10.140.26.179 with SMTP id 48mr26006894qgv.51.1403478646000; Sun, 22 Jun 2014 16:10:46 -0700 (PDT) Received: by 10.140.17.77 with HTTP; Sun, 22 Jun 2014 16:10:45 -0700 (PDT) In-Reply-To: <53A65578.6000701@sugarcrm.com> References: <53A1C722.9060501@fedoraproject.org> <53A21137.6010705@sugarcrm.com> <53A2A9BD.1070603@sugarcrm.com> <53A3874E.20704@sugarcrm.com> <53A65578.6000701@sugarcrm.com> Date: Mon, 23 Jun 2014 01:10:45 +0200 Message-ID: To: Stas Malyshev Cc: Sebastian Bergmann , Julien Pauli , Remi Collet , PHP Internals Content-Type: multipart/alternative; boundary=001a11c035f4251cc704fc74d6d6 Subject: Re: Bug 67072 resolution for 5.4/5.5 From: tyra3l@gmail.com (Ferenc Kovacs) --001a11c035f4251cc704fc74d6d6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, Jun 22, 2014 at 6:03 AM, Stas Malyshev wrote: > Hi! > > We're getting pretty short on time for resolving 67072 one way or > another, since we want to release next week (we've accumulated quite a > lot of security issues). I still think that: > > 1. We can not leave unserialize() segfault in the code in 5.4 > undisturbed. It's DoS opening as a minimum, and RCE potential, if > suitable internal class can be found, for every app that accepts > user-controlled serialized data. And there are a lot of such apps out > there. > for the issue to materialize you need to feed hand-crafted input to unserialize, anybody doing that with user controlled data already asking for problems, but I agree that we should fix if, and even fix it in a micro version if we won't totally cripple the the userland tools unfortunately depending on this trick. > > 2. We do not want to break phpunit/doctrine, at least as much as > possible without hurting #1. > > +1 > 3. Current code does not fix the segfault problem entirely, e.g.: > class MySplFileObject extends SplFileObject {} > echo > > unserialize('O:15:"MySplFileObject":1:{s:9:"*filename";s:15:"/home/flag/f= lag";}'); > > still segfaults for me. > yeah, this is what I also noticed and reported. > > 4. There are other ways to cause segfaults with internal objects, > unfortunately, but those require deliberate coding and I'm less worried > about it since those have no external exploitation potential. > I would say that this also a deliberate attempt, maybe a bit more obscure. > > Given this, I am proposing to check the check in var_unserializer to this= : > > if (ce->serialize =3D=3D NULL || ce->unserialize =3D=3D zend_user_unseria= lize || > (ZEND_INTERNAL_CLASS !=3D ce->type && ce->create_object =3D=3D NULL)) { > object_init_ex(*rval, ce); > } > > This would allow O: to work with the following: > > 1. Regular user classes > 2. User classes implementing Serializable - the result will be > semantically broken but no segfault should be produced since it is still > all within PHP engine, so the worst is that some PHP variables will be > left null instead of their real values. > 3. Internal classes that do not have their own serializer > > The following will still not work with O:: > 1. Internal classes with their own serializer > 2. User classes extending classes in 1. > > I prefer this over what we have in 5.4/5.5 and given how few classes does 1, actually mean, I think it would be an acceptable compromise, but let's hear what others think. > I've checked the Horde/phpunit test by Remi, and it works fine, but I'd > like more feedback on this. Please note we need some solution one way or > another in 3 days, so if we need more discussion on this I'd advise > maybe set up some session on IRC to hash it out. > I think #php.pecl on efnet would be the best place, as some of us already lurks there. > > P.S. For 5.6, I'd just remove the usage of O: hack for any class that > produces C: in serialize. If serializer does not produce it, it should > not accept it. > agree, but as I mentioned I would like to provide some alternative for creating those classes (eg. removing the restriction on internal classes for ReflectionClass::newInstanceWithoutConstructor) ps: I've seen that you created a pull request with the patch, if somebody don't wanna copypaste the patch from the mail, here it is: https://github.com/php/php-src/pull/701 --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --001a11c035f4251cc704fc74d6d6--