Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75836
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 69615 invoked from network); 22 Jul 2014 11:49:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Jul 2014 11:49:02 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.43 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.219.43 mail-oa0-f43.google.com  
Received: from [209.85.219.43] ([209.85.219.43:50975] helo=mail-oa0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 68/5E-14611-CAF4EC35 for <internals@lists.php.net>; Tue, 22 Jul 2014 07:49:01 -0400
Received: by mail-oa0-f43.google.com with SMTP id i7so9456370oag.2
        for <internals@lists.php.net>; Tue, 22 Jul 2014 04:48:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=4/ZWcgwK8wC22WJEKc8JumlZzTEL54F89jy4pE5sbnA=;
        b=njcEog6vCtMhhZS7bqeGWuPdxEZh+DotGv8QAALTY6WhUf+jygSoWo6eH+VptSdKBX
         uVi+vBSbuKKoUeZwZJQqcueMyvNQOpmfslL75kQe7d0MSQEraCSjxXn0w1mQEESynM+B
         ueyFgM+B6l7NwMMT2EZKFDAMRaGvdpz59oLfxUNZQ9iMlkcbqx2jZtXWfgFmwo/7UOO2
         +kG1RIO80qJ5GMfk7iNHVWz/xui/eD5uk6+rwWNYkP7ZAcMGdHEskgoWSbsuwAjM9Mh/
         rmJLKGVlFcP3Ic/TAg82GamZaRYGkWw440Qsrm13FSVDN0TwRf8tbbYJGW7wmmDnYLzK
         Mvfg==
MIME-Version: 1.0
X-Received: by 10.182.243.132 with SMTP id wy4mr48144532obc.38.1406029738172;
 Tue, 22 Jul 2014 04:48:58 -0700 (PDT)
Received: by 10.182.132.2 with HTTP; Tue, 22 Jul 2014 04:48:58 -0700 (PDT)
In-Reply-To: <CAH-PCH6Tb-QbTaB3_qthpiGo4fcs0afViDhACmcur=vZ+=HnFg@mail.gmail.com>
References: <CAH-PCH6xEXspisLOHtiTbViA4vDTk7q6LM3t_Bh9Dzr1cj_Nag@mail.gmail.com>
	<53A1C722.9060501@fedoraproject.org>
	<53A21137.6010705@sugarcrm.com>
	<CAMUwpuT_S2EE6cdJM95RzY4vmORGx3vJ9+gau8G3EZCMsNSydA@mail.gmail.com>
	<53A2A9BD.1070603@sugarcrm.com>
	<CAH-PCH5-vtCVvGvceMqt6rDXq4zo0Vb34cyDK3KdBUNfg_oLyg@mail.gmail.com>
	<CADyq6sKQbV+Avzfs3OAdGM9Hc85i18t0LSATD6Rk=HjqKOMgBg@mail.gmail.com>
	<53A3874E.20704@sugarcrm.com>
	<CAH-PCH6nSk0ir_TSjhCd0BVhiY5UsOsLKzqKhqfaU1G0ghi4Tg@mail.gmail.com>
	<53A62AFF.4080302@sugarcrm.com>
	<CADyq6s+N_mNc-n1g=S5LwWBZ9fkZ+hqRc3Ycu8M7EBd9Hc1ABw@mail.gmail.com>
	<53B10D59.4060206@sugarcrm.com>
	<F5324819-A85F-47BA-8FE5-27FBE87E1B89@gmail.com>
	<CAH-PCH6Tb-QbTaB3_qthpiGo4fcs0afViDhACmcur=vZ+=HnFg@mail.gmail.com>
Date: Tue, 22 Jul 2014 13:48:58 +0200
Message-ID: <CAF+90c9r18LYsfFOhTj9faqBy2w+MxKAk9WmVi3PZ0uzABwQdQ@mail.gmail.com>
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: Alexey Zakhlestin <indeyets@gmail.com>, Stas Malyshev <smalyshev@sugarcrm.com>, 
	Marco Pivetta <ocramius@gmail.com>, Sebastian Bergmann <sebastian@php.net>, Julien Pauli <jpauli@php.net>, 
	Remi Collet <remi@fedoraproject.org>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c2c25016659204fec6cf9c
Subject: Re: [PHP-DEV] Problems with the fix for the BC break introduced in
 5.4.29 and 5.5.13
From: nikita.ppv@gmail.com (Nikita Popov)

--001a11c2c25016659204fec6cf9c
Content-Type: text/plain; charset=UTF-8

On Tue, Jul 22, 2014 at 12:27 PM, Ferenc Kovacs <tyra3l@gmail.com> wrote:

> sorry for the late reply.
> you are right and after looking into the implementation I think classes
> having custom object storage (eg. create_object) shouldn't assume that
> their __construct will be called, but either do the initialization in the
> create_object hook or validate in the other methods that the object was
> properly initialized.
> given that this lack of initialization problem is already present(you can
> extend such a class and have a __construct() in the subclass which doesn't
> call the parent constructor), and we want to keep the unserialize trick
> fixed (as that exposes this problems to the remote attacker when some code
> accepts arbitrary serialized data from the client) I see no reason to keep
> the limitation in the ReflectionClass::newInstanceWithoutConstructor() and
> allowing the instantiation of internal classes will provide a clean upgrade
> path to doctrine and co.
> ofc. we have to fix the internal classes misusing the constructor for
> proper initialization one by one, but that can happen after the initial
> 5.6.0 release (ofc it would be wonderful if people could lend me a hand for
> fixing as much as we can before the release), but we have to fix those
> anyways.
>

This sounds reasonable to me. newInstanceWithoutConstructor does not have
the same remote exploitation concerns as serialize, so allowing crashes
here that can also be caused by other means seems okay to me (especially if
we're planning to fix them lateron). Only additional restriction I'd add is
to disallow calling it on an internal + final class. For those the
__construct argument does not apply. For them the
entity-extending-internal-class usecase doesn't apply either, so that
shouldn't be a problem.

Nikita

--001a11c2c25016659204fec6cf9c--