Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99499
Return-Path: <warpforge@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13243 invoked from network); 12 Jun 2017 20:48:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Jun 2017 20:48:42 -0000
Authentication-Results: pb1.pair.com header.from=david@davidstrauss.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=warpforge@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.181 as permitted sender)
X-PHP-List-Original-Sender: warpforge@gmail.com
X-Host-Fingerprint: 209.85.216.181 mail-qt0-f181.google.com  
Received: from [209.85.216.181] ([209.85.216.181:33774] helo=mail-qt0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/E2-00089-72EFE395 for <internals@lists.php.net>; Mon, 12 Jun 2017 16:48:39 -0400
Received: by mail-qt0-f181.google.com with SMTP id u12so142706905qth.0
        for <internals@lists.php.net>; Mon, 12 Jun 2017 13:48:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=mbEDmRHZiXbIjrctpAkTFn09R+ycMn+3ouPSPEc/8jg=;
        b=Q8r0rzgHh8GSe30laqCiCuw+NUW0SgsmkQS/H70V/N8Q6QHD4qZjpKG3RqrmiWC9Ik
         K4Q9VrCoXQJAWpnuAR2M3+YcGIhNL8Ay1aLNy6ekOXA5jWHA+g6JsR7KLwYkc4cWDpTc
         1l3zmm3+6JiLrKmKoY9vw25P35lcTwEP06aGLTkTmHPAod2mUpBv54GVxLSDN29f9CB+
         n1irwPp7Jc6irk4bwyYj+1brWixyxf7+pRvnfHv8Vr7CPrsr8KaS80cuSSifur6XHbg3
         NChqkghKo8JRE1R+FeBl+VhVPzF01vsY8IlByGM1zHGkNV693QA2OuzuW/egwzrq50ra
         7EOg==
X-Gm-Message-State: AKS2vOygN82QF6KbHHHsq/MYvtn5ZBZurr5yxLB9XJkIhORZccnBKkcr
	wrxBUgUq5TJeVpwQ0ajgtLx2a7SH5zu9
X-Received: by 10.55.105.133 with SMTP id e127mr68655920qkc.19.1497300516361;
 Mon, 12 Jun 2017 13:48:36 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 12 Jun 2017 20:48:23 +0000
Message-ID: <CABpmRD4J1CRz0uBrew9kOrfn2fysaCoE8greViz2FTQqtubEhg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a114876d2665bc10551c97192"
Subject: Intended RFC Proposal: Side-Effect Filtering for unserialize()
From: david@davidstrauss.net (David Strauss)

--001a114876d2665bc10551c97192
Content-Type: text/plain; charset="UTF-8"

Despite providing class whitelisting [1] and documentation about warnings
about security impacts [2], we continue to see vulnerable uses of
unserialize() in Drupal modules [3] and partially effective attempts to
mitigate vulnerabilities from user-supplied, serialized data [4].

Whitelisting legal classes for unserializing data is, unfortunately, not
seeing widespread uptake in community-created code that I review. It also
doesn't push us toward more secure defaults shipping with OS packages and
on PHP-supporting platforms. An additional option that would generally work
with existing, legitimate use but would also block use for exploits could
turn that tide.

I propose adding a new key to the $options parameter for unserialize(). The
new key would be "exception_on_side_effects", have a Boolean value, and
would (if true) cause unserialization to halt (and an exception to be
thrown) if any of the data being unserialized contains objects with magic
methods that will automatically execute on object wakeup, destruction, or
other events that the PHP interpreter (almost) always triggers.

To help push toward better defaults, I also suggest adding a related
configuration option:

Name: unserialize_side_effect_protection
Default: 0
Changeable: PHP_INI_ALL

If enabled, it would cause "exception_on_side_effects" to be enabled by
default on all unserialize() calls that don't specify "allowed_classes" or
override the default. By making it PHP_INI_ALL, frameworks could lock down
usage during bootstrap (or at least before reading request data).

I am a member of the Drupal Security Team and would also be the implementer
of this feature. My username on the wiki is "dts", and I'm requesting RFC
karma.

[1] https://wiki.php.net/rfc/secure_unserialize
[2] https://secure.php.net/manual/en/function.unserialize.php
[3] https://www.ambionics.io/blog/drupal-services-module-rce
[4]
https://github.com/WordPress/WordPress/blob/efab6e06cae3ed14c6b681570dfd5f81917d9f9c/wp-includes/functions.php#L341-L394

--001a114876d2665bc10551c97192--