Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78667
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96354 invoked from network); 4 Nov 2014 18:35:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Nov 2014 18:35:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.169 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.212.169 mail-wi0-f169.google.com  
Received: from [209.85.212.169] ([209.85.212.169:58229] helo=mail-wi0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6E/30-06676-27C19545 for <internals@lists.php.net>; Tue, 04 Nov 2014 13:35:30 -0500
Received: by mail-wi0-f169.google.com with SMTP id n3so9478379wiv.0
        for <internals@lists.php.net>; Tue, 04 Nov 2014 10:35:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Lg4hd1N3wVzDCd7J3EcykweuLl61tzdTST7aKrJDkWY=;
        b=NjIMuBtEdZ9OEr+f3AVkh6VsaODkJbqLiVRP8nrNCeHUmLoZVMZQlNJFyIRBdwbApg
         WONL7nddtSp90UxpAgagJaJc09eU3G4e13ASDmitxfboWnMICZs3I29TLUYFzz29wbYO
         VHaYsOw2WybjOGLBjrSgJivzicbHltVfkNtSIjGpcAdla/82eQ/RakylRA901ELxaDqi
         mfDx9z5EyN08FN5Dky0WbE1wBtu/x80Tn/23aRA4KcFwcR2CB+0ApXs1fntJYfGfhVRQ
         Sw8MB+nRCyyJ3IyEDRLDAhxbcdO/JncGGLz1Tfdy6PzZxJ7yRefk7q3qjwDVOPtnOwg+
         ri7w==
MIME-Version: 1.0
X-Received: by 10.180.98.233 with SMTP id el9mr16316370wib.3.1415126127663;
 Tue, 04 Nov 2014 10:35:27 -0800 (PST)
Received: by 10.27.10.12 with HTTP; Tue, 4 Nov 2014 10:35:27 -0800 (PST)
In-Reply-To: <5457EF60.1020103@sugarcrm.com>
References: <5457EF60.1020103@sugarcrm.com>
Date: Tue, 4 Nov 2014 19:35:27 +0100
Message-ID: <CAF+90c-gRf33Fwqsf00JRLPVuXYjXS2yM4gHYcHUepQ_ynZ9uQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d0442889626e68605070cba22
Subject: Re: [PHP-DEV] [RFC] [VOTE] Filtered unserialize()
From: nikita.ppv@gmail.com (Nikita Popov)

--f46d0442889626e68605070cba22
Content-Type: text/plain; charset=UTF-8

On Mon, Nov 3, 2014 at 10:10 PM, Stas Malyshev <smalyshev@sugarcrm.com>
wrote:

> Hi!
>
> I'd like to put to vote my proposal about the filtered unserialize():
>
> https://wiki.php.net/rfc/secure_unserialize
>
> It was discussed a number of times before and I think it is time to have
> a decision on it. If you need any clarifications on the proposal, please
> do not hesitate to ask.


I'm -1 on this RFC, because I think this only further encourages
ill-advised usages of unserialize() on user-provided strings. I don't think
adding an allowed classes lists makes unserialize() safe, because it also
supports some other weird things. For example, our serialization format
allows you to create references. I'd imagine that you can easily use this
to cause a DOS condition if the code processing the unserialize output uses
any kind of recursion.

Furthermore I dislike some details of the particular implementation: The
ability to use false as a synonym for [] seems unnecessary. Directly using
an extra argument will be inconvenient for future additions, e.g. if you
really wanted to more this secure, you'd probably also want to have options
to disable references and to limit the cumulative number of array elements
(hashdos). I'd prefer using an options array for this.

Nikita

--f46d0442889626e68605070cba22--