Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75084 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30809 invoked from network); 26 Jun 2014 01:07:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jun 2014 01:07:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: ocramius@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:54044] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 23/B0-26264-D527BA35 for ; Wed, 25 Jun 2014 21:07:41 -0400 Received: by mail-qc0-f170.google.com with SMTP id l6so2532558qcy.15 for ; Wed, 25 Jun 2014 18:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=SqzOV6FxsTBuuirQ+X+9sDoch5DBOqYw6B8MNTS1HFo=; b=cGRQaxaC+7krV53wCwBaw/1oKKyCZGxDeI4RkFMZgOxD4JBDhJO868fM7u7gMTUiVs XkprW9LcV5mytHHZzu/r7Q3Unw75U9hfLob+z3r0iWoVETQMVoXRWQkfYwokvEW4fvyv q9qb6OjqM/xHnfTNDVYCVijQTDSoC6aYMVciIT2qMiBuYYNfePfHGKkbwFsVDU10te8b A3AZNnut6QBYpUapIoPclBmb7BNYMJuvmxuZ3o1jnOqie6DWODkbKsGufVy77gcgivcP J7pOkRdByQT5P3RkCpthjvisQjPiTEB45PpvPwTKYf6DXGsKf1zw00lN+Vu57RVtkA0P //HQ== X-Received: by 10.224.127.197 with SMTP id h5mr17419823qas.3.1403744858728; Wed, 25 Jun 2014 18:07:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.25.76 with HTTP; Wed, 25 Jun 2014 18:07:18 -0700 (PDT) In-Reply-To: <53AB709C.1000809@sugarcrm.com> References: <53A1C722.9060501@fedoraproject.org> <53A21137.6010705@sugarcrm.com> <53A2A9BD.1070603@sugarcrm.com> <53A3874E.20704@sugarcrm.com> <53A65578.6000701@sugarcrm.com> <53A8626B.701@fedoraproject.org> <53A866B6.4060501@sugarcrm.com> <53A92B24.40706@fedoraproject.org> <53A92F93.2060507@sugarcrm.com> <53A9CC06.5060707@sugarcrm.com> <53AB709C.1000809@sugarcrm.com> Date: Thu, 26 Jun 2014 03:07:18 +0200 Message-ID: To: Stas Malyshev Cc: Nikita Nefedov , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c2bc50a8ef8a04fcb2d1bd Subject: Re: [PHP-DEV] Re: Bug 67072 resolution for 5.4/5.5 From: ocramius@gmail.com (Marco Pivetta) --001a11c2bc50a8ef8a04fcb2d1bd Content-Type: text/plain; charset=UTF-8 On 26 June 2014 03:00, Stas Malyshev wrote: > Hi! > > > You keep mentioning these two, but don't they assume that the serialized > > data is user-provided? > > Yes, they do. > > > I don't think anybody sane would/should do that in first place, as it > > Simple search on github suggests otherwise. > *sane* doesn't mean everyone. Allowing un-serializing data coming from user input is as bad as `eval()`, and trying to defend from it is also quite useless. > > would be already possible to cause RCE just with any class implementing > > the `Serializable` interface. > > Not sure how you could do that, could you please explain how would you > cause that? > Assuming this exists in the user's codebase: class Prank implements Serializable { public function serialize() {} public function unserialize() { exec('rm -rf /'); } } Then send a serialized prank over the internets. Other interesting security issues are related to this as well in my opinion, but I'd have to do research on the problem first. > I was, of course, speaking of running > arbitrary code on C level, not just PHP methods purposed to handle the > data by the developers. > That was my misunderstanding. Thanks for clarifying. Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ --001a11c2bc50a8ef8a04fcb2d1bd--