Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94234 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78761 invoked from network); 23 Jun 2016 18:18:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Jun 2016 18:18:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 65.55.169.146 as permitted sender) X-PHP-List-Original-Sender: dmitry@zend.com X-Host-Fingerprint: 65.55.169.146 mail-bl2on0146.outbound.protection.outlook.com Received: from [65.55.169.146] ([65.55.169.146:39328] helo=na01-bl2-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D7/D0-08667-AE72C675 for ; Thu, 23 Jun 2016 14:18:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RWSoftware.onmicrosoft.com; s=selector1-zend-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7h2EkG7fDtmRcLcAoGajGieCFhsYarGC3FE9/feFaI0=; b=TSQMqQOlxjmkWfmR6LrtZV+tDKWJMCjY7QN3O1z9AGGLqfGniaM5ZjclNwuxU7mgmDgJvvkKQY3n/zNB1ohFQnkiwWUJE/Lcr/yYZ21e/PwgmuC/X0Gf8i5NG8fApn8YY4ZFs8+R5OdKN9EwuZwkt17PbMEmelFiHjNYFbhLn/w= Received: from BY2PR0201MB1784.namprd02.prod.outlook.com (10.163.72.26) by BY2PR0201MB1781.namprd02.prod.outlook.com (10.163.72.23) with Microsoft SMTP Server (TLS) id 15.1.523.12; Thu, 23 Jun 2016 18:18:12 +0000 Received: from BY2PR0201MB1784.namprd02.prod.outlook.com ([10.163.72.26]) by BY2PR0201MB1784.namprd02.prod.outlook.com ([10.163.72.26]) with mapi id 15.01.0523.019; Thu, 23 Jun 2016 18:18:12 +0000 To: Sara Golemon , PHP internals , Stanislav Malyshev Thread-Topic: [PHP-DEV] [Bug #68319] unserialize() with modified class definition. Thread-Index: AQHRzXhWRyWTo/MBKkqUURTOMXm6Up/3WIqe Date: Thu, 23 Jun 2016 18:18:12 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=dmitry@zend.com; x-originating-ip: [132.245.81.165] x-ms-office365-filtering-correlation-id: e0506b9c-a586-4d65-1d7c-08d39b92bd01 x-microsoft-exchange-diagnostics: 1;BY2PR0201MB1781;6:8NRC7DYf3jnvs7TrxwnEXxFLeNIA/TawzEkQCMoVuMBJwuXevyh4oNhU0cnolp+g5qdZI/lxCeelPRgztrh2eINtP9QXrvNIxqlGqX2CFKEEYIpvumdCCR/kh5ADq1CNs1EZH2fj/93lCR8HKeSZ5BAO780/+CG9eTVA+6mOZeiyP0ocpELIUVbmFlKyg4hGMvbf2tQgzvUfdzrBGO69VUhocI/TAuJ6zn7040HjX8LyoNJRN+rDtEjpRN0u2ACtTtV2aKArAYSWYA9bxmhXEtwQinkUgbq2zqoOmwVe6W6mv7nZU6sO3tR3i745T4wu;5:gXR6anWt7965CCa89+UGmuWHgm/zqhLtDYnItbY2LAD+snyEfawwbdw8aYAeRqmEVaIrck5GU9EdKOu6+e11dZPKBuPSDMZkMks2LYsystNcziUL3tO5+iabkUvUnKeplNL/OrLHGBtdV6V88T6P7w==;24:H6wfxUuznvwMu/yJuDfbR4IuA8wUJ/ELVf2K/Agkn9+rxCAdP/nvR3y4Wy+QaaBR72hO0OIlzDvjOjTeFCHA3ZwkihfBBRz9ROyiR5TRMkw=;7:p+2LCicbZ1Jlz572LEJ3y2IASPIPLa3DumNGhPtvoBn3ou8ZqHLh+Na0DrfjQtrvi3ffE5aCAeI6OW2cPs4iMbvqHKB8+2Pc8UZA748jPjcRIjGWTRG+gaF04fnwLWWhVHEaGA4kX+dlOpX48ySjB4j8XRBkvpohTYQ7kG5nRFTwswW+KHxg7m4Txie8fCbd5XHh6W8Gh09oQI8LRl4XGogdU7LpxzNpn4fxcctX8a40PfnxtEcPERkiG8wK728ksmfmR6flDk+bbiCaNnh87Q== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR0201MB1781; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(23657631684272)(192374486261705); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046);SRVR:BY2PR0201MB1781;BCL:0;PCL:0;RULEID:;SRVR:BY2PR0201MB1781; x-forefront-prvs: 098291215C x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(377454003)(189002)(199003)(97736004)(33656002)(8936002)(107886002)(81166006)(7736002)(101416001)(86362001)(8676002)(81156014)(7696003)(2950100001)(5002640100001)(15975445007)(5003600100003)(9686002)(15188155005)(87936001)(19617315012)(16799955002)(76576001)(74316001)(2906002)(5001770100001)(7846002)(2900100001)(10400500002)(77096005)(122556002)(586003)(3846002)(102836003)(6116002)(16236675004)(54356999)(76176999)(50986999)(11100500001)(68736007)(99286002)(19625215002)(92566002)(66066001)(189998001)(3660700001)(105586002)(106116001)(19580405001)(19580395003)(106356001)(3280700002)(7906003)(556834004);DIR:OUT;SFP:1102;SCL:1;SRVR:BY2PR0201MB1781;H:BY2PR0201MB1784.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: zend.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR0201MB1784E3A93854E9C2E7A08818BF2D0BY2PR0201MB1784_" MIME-Version: 1.0 X-OriginatorOrg: zend.com X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2016 18:18:12.5066 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 32210298-c08b-4829-8097-6b12c025a892 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0201MB1781 Subject: Re: [PHP-DEV] [Bug #68319] unserialize() with modified class definition. From: dmitry@zend.com (Dmitry Stogov) --_000_BY2PR0201MB1784E3A93854E9C2E7A08818BF2D0BY2PR0201MB1784_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Looking into the number of unserialize() related "security" issues, I think= we should fix all of them once and forever, introducing a validation pass. In case something in provided data is wrong (e.g. duplicated properties or = array keys, unexpected types, invalid references, invalid property visibili= ty, etc), we should just return FALSE. I think, Stas proposed something similar some time ago. Thanks. Dmitry. ________________________________ From: php@golemon.com on behalf of Sara Golemon Sent: Thursday, June 23, 2016 8:53:58 PM To: PHP internals Subject: [PHP-DEV] [Bug #68319] unserialize() with modified class definitio= n. https://bugs.php.net/bug.php?id=3D68319 https://3v4l.org/irnRC The crux is this: * Object instance gets serialized with one definition, maybe stored in DB/file, whatever, the serialized value lives on. * Class definition changes slightly. In this case, a property changes visibility. * Serialized value is unserialized. The prop visibilities don't match. * PHP says, "Eh, whatevs, I'll make a dynamic prop of the same name." Possible resolutions: 1: Raise a warning and return false (as unserialize already does for parse errors) 2: Raise a warning and "correct" the visibility to match the current class definition 3: Raise a warning and continue duplicating the properties I don't think we need to be as terrible as option 3 since any code facing this problem right now can't actually access the unserialized value and is therefore broken in much worse ways. I think option 2 presents its own unquantified risks and should probably be avoided. So obviously, I vote option 1, but I'd like to get other's thoughts and opinions before addressing this bug. I'm going to go ahead and say ignore what HHVM does here. In this specific case they basically take option 2, but in the inverse case https://3v4l.org/ecM1Q they're precisely as broken as we are. -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php --_000_BY2PR0201MB1784E3A93854E9C2E7A08818BF2D0BY2PR0201MB1784_--