Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94235
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80593 invoked from network); 23 Jun 2016 18:25:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jun 2016 18:25:18 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.181 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.181 mail-pf0-f181.google.com  
Received: from [209.85.192.181] ([209.85.192.181:33064] helo=mail-pf0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 29/31-08667-D892C675 for <internals@lists.php.net>; Thu, 23 Jun 2016 14:25:18 -0400
Received: by mail-pf0-f181.google.com with SMTP id i123so31045929pfg.0
        for <internals@lists.php.net>; Thu, 23 Jun 2016 11:25:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=htg3U78CTtF6yO1FKG77yLhIr7TyUErQCOPchwYomU0=;
        b=ZQ9AMyTynrhpv7XUnNo578quA092xQwOZth8C++SjvF2vhIe7EbT+oYTbKc+ScZBzg
         6G3I4IttAMldvNnZbvf6fN4efYq24fplueGFlK0x8NEOEx7004qVMKtKSaWdk1oYa8EZ
         e5sD6nuKXpg/hMFr4PDUiADu+pVlbgd2eqXXy+Yk7Kt9+9bNGy3siT9l/vo5jmB/YmwG
         kP/8R+OewPELk0MDyLUF4FOUYybC1rzQH69uvoRVA31m5T9qOOGfXXgBeH7axGqhZxy8
         UbuNINgU/A7JqisVc1qNc79geFTEXghPSa3hniLWJgCCS3PeUmmbFAxHxMZMAcpt/4rI
         04Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=htg3U78CTtF6yO1FKG77yLhIr7TyUErQCOPchwYomU0=;
        b=m9fexZf+IlafocKTorsVcJf21AWFCDoUPO7BQVwpCyA0sr+bniISsAUbHbgQKAOehA
         mgux/7CNRGOA+20XSpdcTiHa8yZZDrFzpKuzhsCyOG1Ct7WuDdwCRcHq0rvoGpzDPQ20
         C2dFCc6infb7rZXEW4XVmmqaeuLiLsuqM4m61MqyKAM4vdFibd9ukgBRtPl+bXfkPeQs
         PEXURQWFkB89dkTsFTgaA6YAB6Urbj716AjBn/9W8ZaKhNOW/q13PLHTAl2M8TU+4qxZ
         xZqQ/kxXGqPoPa9VIaw01aQOpR4+Ci/g7OFACtxNl59FeAzFVDcVqibdEEjHVGxI5aGG
         p8zA==
X-Gm-Message-State: ALyK8tIbz1btLMAuFZi1IY7N4ekoRPiYNGa2ReuL1tAaTjXh7N//HNs98N9W24Giazc7Fg==
X-Received: by 10.98.77.65 with SMTP id a62mr45561984pfb.128.1466706314564;
        Thu, 23 Jun 2016 11:25:14 -0700 (PDT)
Received: from stas-air.corp.wikimedia.org (tan1.corp.wikimedia.org. [198.73.209.1])
        by smtp.gmail.com with ESMTPSA id 69sm1651076pfc.90.2016.06.23.11.25.13
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 23 Jun 2016 11:25:13 -0700 (PDT)
To: Dmitry Stogov <dmitry@zend.com>, Sara Golemon <pollita@php.net>,
 PHP internals <internals@lists.php.net>
References: <CAESVnVpQGHe9eDCbdgkmJw3qNFX7BJ3af0xcRr7DtK9NXwykrg@mail.gmail.com>
 <BY2PR0201MB1784E3A93854E9C2E7A08818BF2D0@BY2PR0201MB1784.namprd02.prod.outlook.com>
Message-ID: <099f7db1-0166-b641-c04f-a22581fd3879@gmail.com>
Date: Thu, 23 Jun 2016 11:25:12 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0)
 Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <BY2PR0201MB1784E3A93854E9C2E7A08818BF2D0@BY2PR0201MB1784.namprd02.prod.outlook.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [Bug #68319] unserialize() with modified class
 definition.
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> Looking into the number of unserialize() related "security" issues, I
> think we should fix all of them once and forever, introducing a
> validation pass.
> 
> In case something in provided data is wrong (e.g. duplicated properties
> or array keys, unexpected types, invalid references, invalid property
> visibility, etc), we should just return FALSE.
> 
> I think, Stas proposed something similar some time ago.

I don't remember proposing exactly that, though the idea looks worthy to
me :) I did something different though - allowing limiting unserialize
to accept only certain set of classes, which alleviates some security
issues, but not all of them. This probably would catch more cases,
though also not all of them.

As for validation pass, the only issue I foresee is handling custom
serializers. We'd need to either add validation handler too (probably a
good idea) or somehow handle that. Needs some investigation there.

As for this specific bug, it looks like an oversight. I'm not sure why
we encode visibility in the property at all... Probably for efficiency,
but I think we need to be smarter there.

-- 
Stas Malyshev
smalyshev@gmail.com