Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75082 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26823 invoked from network); 26 Jun 2014 00:40:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jun 2014 00:40:13 -0000 Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.54 as permitted sender) X-PHP-List-Original-Sender: ocramius@gmail.com X-Host-Fingerprint: 209.85.192.54 mail-qg0-f54.google.com Received: from [209.85.192.54] ([209.85.192.54:46939] helo=mail-qg0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/00-26264-CEB6BA35 for ; Wed, 25 Jun 2014 20:40:12 -0400 Received: by mail-qg0-f54.google.com with SMTP id q107so2365437qgd.41 for ; Wed, 25 Jun 2014 17:40:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Fhz/ff19+TImIdT1Thn3EXak1Cj2aNzq35Dj4mYxhvw=; b=q2GBzJndaijyyM0h6wnVuJSWJNO3aVHmtscuXIbtYG7yixeGQjeYOEBvuIKkrFLxWF tBZWNQn2NsXV1tKEo0x8Sul2AlRhWlhoQZlnBakQRjUyq4P+wJ8AMnTWWUm3uqHNkXp1 zvrdXB3IMq0C0G99Xb8S9+DXC8MBwghl+t1QhY7YJJ5v+9xo6AnvkBEE1Min6U089Qfo nmFFB5DlXRLU1tf3l1zZVWK32u6zZfJI/aYCAD/Mdpivjiai2wrX2m9B8bx0KYbLLBzj frvluhgQJRTBpwUm7Lnm5ICZGBwMDWeahF8wRHdcOu2d+jx02N2Vw/fRDohlhhG2FboO q7Fg== X-Received: by 10.224.114.17 with SMTP id c17mr17191264qaq.68.1403743209500; Wed, 25 Jun 2014 17:40:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.25.76 with HTTP; Wed, 25 Jun 2014 17:39:48 -0700 (PDT) In-Reply-To: <53A9CC06.5060707@sugarcrm.com> References: <53A1C722.9060501@fedoraproject.org> <53A21137.6010705@sugarcrm.com> <53A2A9BD.1070603@sugarcrm.com> <53A3874E.20704@sugarcrm.com> <53A65578.6000701@sugarcrm.com> <53A8626B.701@fedoraproject.org> <53A866B6.4060501@sugarcrm.com> <53A92B24.40706@fedoraproject.org> <53A92F93.2060507@sugarcrm.com> <53A9CC06.5060707@sugarcrm.com> Date: Thu, 26 Jun 2014 02:39:48 +0200 Message-ID: To: Stas Malyshev Cc: Nikita Nefedov , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7bdca10e5bb67604fcb26f0f Subject: Re: [PHP-DEV] Re: Bug 67072 resolution for 5.4/5.5 From: ocramius@gmail.com (Marco Pivetta) --047d7bdca10e5bb67604fcb26f0f Content-Type: text/plain; charset=UTF-8 On 24 June 2014 21:05, Stas Malyshev wrote: > Hi! > > > I don't see any problem in the fact that you can skip actual > instantiation > > of the object. Even if there *is* a problem with that - a lot of > user-land > > The problem is remotely-triggerable DoS and potentially RCE. Not > sounding bad enough? > Hey Stas, You keep mentioning these two, but don't they assume that the serialized data is user-provided? I don't think anybody sane would/should do that in first place, as it would be already possible to cause RCE just with any class implementing the `Serializable` interface. Yes, laravel did this via super-closure, but there was a security fix for it recently. Could you clarify on this particular point? I see RCEs anywhere user input is used to dynamically instantiate anything as well, I just think that it is not the case here, as it would be the developer's fault for granting access to serialized data to the user. Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ --047d7bdca10e5bb67604fcb26f0f--