Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75097 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89310 invoked from network); 26 Jun 2014 17:18:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jun 2014 17:18:06 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.115 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.115 smtp115.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.115] ([108.166.43.115:39559] helo=smtp115.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 01/86-39155-BC55CA35 for ; Thu, 26 Jun 2014 13:18:04 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp7.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 603F9381A0B; Thu, 26 Jun 2014 13:18:00 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp7.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id EE1DB381289; Thu, 26 Jun 2014 13:17:59 -0400 (EDT) Message-ID: <53AC55C7.5030703@sugarcrm.com> Date: Thu, 26 Jun 2014 10:17:59 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Marco Pivetta CC: Nikita Nefedov , "internals@lists.php.net" References: <53A1C722.9060501@fedoraproject.org> <53A21137.6010705@sugarcrm.com> <53A2A9BD.1070603@sugarcrm.com> <53A3874E.20704@sugarcrm.com> <53A65578.6000701@sugarcrm.com> <53A8626B.701@fedoraproject.org> <53A866B6.4060501@sugarcrm.com> <53A92B24.40706@fedoraproject.org> <53A92F93.2060507@sugarcrm.com> <53A9CC06.5060707@sugarcrm.com> <53AB709C.1000809@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Bug 67072 resolution for 5.4/5.5 From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > *sane* doesn't mean everyone. > Allowing un-serializing data coming from user input is as bad as > `eval()`, and trying to defend from it is also quite useless. I would like to hear some justification for this claim. > Assuming this exists in the user's codebase: > > class Prank implements Serializable > { > public function serialize() {} > public function unserialize() { exec('rm -rf /'); } > } That one fat assumption. Who would put such code in the codebase? With the same argument you can claim HTTP protocol has a RCE built it, of course "assuming" your http server has exec('rm -rf /'); in it ready to be called. That's not what RCE means. RCE means code execution *without* specially crafted code that is actually written on the server in order to facilitate the exact problem. > Other interesting security issues are related to this as well in my > opinion, but I'd have to do research on the problem first. If you can demonstrate a real RCE or any other problem using unserialize() (besides the __dtor issue which is widely known along with its mitigation) please share it with me or security@php.net. Those happen, as any other bugs, but claim that unserialize() is the same as eval() seems to be over-reaching. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/