Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78672 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6821 invoked from network); 4 Nov 2014 19:26:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Nov 2014 19:26:42 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.46 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 74.125.82.46 mail-wg0-f46.google.com Received: from [74.125.82.46] ([74.125.82.46:63918] helo=mail-wg0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 78/90-02095-17829545 for ; Tue, 04 Nov 2014 14:26:41 -0500 Received: by mail-wg0-f46.google.com with SMTP id x13so15658871wgg.5 for ; Tue, 04 Nov 2014 11:26:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/H8UlRldXHgVJO4MZ0dQMkDuvMK0FcBoPOmqZrx7lpg=; b=mO7TTqFCmXfyTcQzctK8hJlgor1aJy0RVF3Xv1LeiRsm6ScoyTOsyNpDsC+8tQ2QT9 b6mCyywM6B+Wm7LnICxTqwRg/laBYkP6iZ2hKli/ME6RhXnF3aQPgonNJbJQbsUYB6L9 Q8MYYcuJXwjTTC5GW5xcMWkpb1rEcHBUTgXWLeK3kRDN/ldcXpCOPXua5J0BB12wYq+/ CmsXRD5HJB5msmAAA0Fvkct3QtCqZiAk7dkTwjWR3RPWyyu2Gs7YXyNfzVcam0+jy4Fm sFG/phxgiIsp/24QoXdAOYbu2G9hzabDfT7ikQqZO1m9IP+ZS09t2VFGK3YEstwz9PYM O2Yg== MIME-Version: 1.0 X-Received: by 10.180.98.233 with SMTP id el9mr16625684wib.3.1415129197825; Tue, 04 Nov 2014 11:26:37 -0800 (PST) Received: by 10.27.10.12 with HTTP; Tue, 4 Nov 2014 11:26:37 -0800 (PST) In-Reply-To: <54591EC3.9080202@sugarcrm.com> References: <5457EF60.1020103@sugarcrm.com> <54591EC3.9080202@sugarcrm.com> Date: Tue, 4 Nov 2014 20:26:37 +0100 Message-ID: To: Stas Malyshev Cc: PHP Internals Content-Type: multipart/alternative; boundary=f46d0442889625d35905070d7137 Subject: Re: [PHP-DEV] [RFC] [VOTE] Filtered unserialize() From: nikita.ppv@gmail.com (Nikita Popov) --f46d0442889625d35905070d7137 Content-Type: text/plain; charset=UTF-8 On Tue, Nov 4, 2014 at 7:45 PM, Stas Malyshev wrote: > Hi! > > > I'm -1 on this RFC, because I think this only further encourages > > ill-advised usages of unserialize() on user-provided strings. I don't > > I guess that's where we disagree. I think that security is a layered > approach (see more here: > http://php100.wordpress.com/2014/11/03/unserialize-and-being-practical/). > Some > people think that if somebody deviates from the best practice, however > good are the reasons, there should be no support whatsoever in securing > the alternative approach since it "encourages" departing from best > practices. I think this approach is wrong. > To clarify: I don't think it makes sense to add an additional security option, if we cannot say that unserialize() is to our knowledge *fully* secure if this option is used. Adding this makes sense if you can say "if you use this option, you can safely use unserialize() on user-provided input, nothing bad can happen, ignore anything we told you previously". I don't think that adding an allowed classes list quite gets us to that point. The two issues I see are the ability to create references and to exploit hashdos (the latter also applies to json). Maybe there are others, this would need closer review. > > Furthermore I dislike some details of the particular implementation: The > > ability to use false as a synonym for [] seems unnecessary. Directly > > I could make it produce an error on false, but I don't see what use case > it would help. If you have such use case, please describe it. > Just looking at your implementation again, it looks like "false" is not a special value and you actually accept anything, regardless of type. So if I pass the string "foo" as the second parameter, it will simply do nothing. Silently discarding values for security features sounds dubious to me. Nikita --f46d0442889625d35905070d7137--