Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78673
Return-Path: <dmitry@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9681 invoked from network); 4 Nov 2014 19:48:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Nov 2014 19:48:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.214.181 as permitted sender)
X-PHP-List-Original-Sender: dmitry@zend.com
X-Host-Fingerprint: 209.85.214.181 mail-ob0-f181.google.com  
Received: from [209.85.214.181] ([209.85.214.181:65358] helo=mail-ob0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 24/11-02095-98D29545 for <internals@lists.php.net>; Tue, 04 Nov 2014 14:48:25 -0500
Received: by mail-ob0-f181.google.com with SMTP id uy5so11163270obc.26
        for <internals@lists.php.net>; Tue, 04 Nov 2014 11:48:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=1kRzCldqZb8cpKwuws/AvP6JWBwrCFkUxc6LGt7bvX4=;
        b=fFRTmLLF22Ugbnhb24xyOmNWGSorWd30wGjF5NkzIEovZ5x+RGkvRIynZ1MwaQgPGQ
         Ah4HfO0+SBLriGLKLxonkPHTEsDSB/Hs3hqxq9u31UqcKc2sIti4hRyNsgi7X1EmfLqd
         ZPVK+k3EJlDECkE+dC1SnIEqmrHHIyRRmD9bVO4q8oGzB801nuSGnNw7sJf8eJ5Wf0l4
         zXcAgNLCgqo4H03MjiHrFE1YdqUAnpndN83i9RbppmkdjQKni/yLGXHyzTh01RsPitTq
         6By/LQ4n2kq+JAMbhvJrBRk8UFQCAKX4m4xVQsgKFDt5B7+MY00lmqQPfOgeQ7ElExX3
         78hw==
X-Gm-Message-State: ALoCoQm4lVYyqd7UT0sJP2sPUu6UVO+QMyTFuCoaAGDgAV+v644CQO2good1R4AugCAv9I5j8xUrruVcM7+ZSmafMcguDsX9qaiX7AT9wp8h0LPD3U0ZGk3QAMMFwtfzQKrIPolrOTcLRpWVfE/BYDwYoOYr271b+w==
MIME-Version: 1.0
X-Received: by 10.60.67.233 with SMTP id q9mr44647997oet.30.1415130502413;
 Tue, 04 Nov 2014 11:48:22 -0800 (PST)
Received: by 10.60.70.41 with HTTP; Tue, 4 Nov 2014 11:48:22 -0800 (PST)
In-Reply-To: <54591EC3.9080202@sugarcrm.com>
References: <5457EF60.1020103@sugarcrm.com>
	<CAF+90c-gRf33Fwqsf00JRLPVuXYjXS2yM4gHYcHUepQ_ynZ9uQ@mail.gmail.com>
	<54591EC3.9080202@sugarcrm.com>
Date: Tue, 4 Nov 2014 23:48:22 +0400
Message-ID: <CA+9eiLsD5-zqSHR1u4b=jb7sEDR7COTKNxpzOBPXJfTqnrqspQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Nikita Popov <nikita.ppv@gmail.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c30fbce85f8205070dbe3f
Subject: Re: [PHP-DEV] [RFC] [VOTE] Filtered unserialize()
From: dmitry@zend.com (Dmitry Stogov)

--001a11c30fbce85f8205070dbe3f
Content-Type: text/plain; charset=UTF-8

I agree with Nikita.
Adding an extra argument for one particular security related case looks
weird.
Will we add more arguments for others?

I would also prefer options array and [] instead of 'false'.

unserialize($string, array('allowed_classes'=>[]));

It's also more readable :)

Thanks. Dmitry.

On Tue, Nov 4, 2014 at 9:45 PM, Stas Malyshev <smalyshev@sugarcrm.com>
wrote:

> Hi!
>
> > I'm -1 on this RFC, because I think this only further encourages
> > ill-advised usages of unserialize() on user-provided strings. I don't
>
> I guess that's where we disagree. I think that security is a layered
> approach (see more here:
> http://php100.wordpress.com/2014/11/03/unserialize-and-being-practical/).
> Some
> people think that if somebody deviates from the best practice, however
> good are the reasons, there should be no support whatsoever in securing
> the alternative approach since it "encourages" departing from best
> practices. I think this approach is wrong.
>
> > format allows you to create references. I'd imagine that you can easily
> > use this to cause a DOS condition if the code processing the unserialize
> > output uses any kind of recursion.
>
> I'm not sure what you mean here. I'm not aware of any way to cause any
> recursion or DoS when parsing serialized data, as for user-side data
> processing, of course I do not attempt to cure the world and solve the
> halting problem, I only give you a tool to filter data. If you store
> recursive data structures in your data and process it, this RFC does not
> provide recursion protection, we can not do everything in one RFC :)
>
> > Furthermore I dislike some details of the particular implementation: The
> > ability to use false as a synonym for [] seems unnecessary. Directly
>
> I could make it produce an error on false, but I don't see what use case
> it would help. If you have such use case, please describe it.
>
> > using an extra argument will be inconvenient for future additions, e.g.
> > if you really wanted to more this secure, you'd probably also want to
> > have options to disable references and to limit the cumulative number of
> > array elements (hashdos). I'd prefer using an options array for this.
>
> I sill have hope named parameters happen some time, which would
> eliminate the need option arrays. Since right now we have only one
> option, I think option array is redundant here.
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--001a11c30fbce85f8205070dbe3f--