On 2013-03-31 00:27, Stas Malyshev wrote:
Hi!
I think Stas proposes a solution to the problem and I think Anthony
proposes a viable alternative. I would say that Anthony has found the
shortest distance between the two points (the problem and the solution),
however.
The fact is that people do use serialize() for data that may be
accessible by the user (or made accessible by unrelated security issues,
which may be upgraded in severity by this - e.g. from SQL injection to
persistent code backdoor on the server). There are many ways to do
things differently, and they are known. However, as I said, the fact is
people do use serialize() and may not even realize the data aren't as
secure as they are. That's why many security tools flag any object with
dtor in application using unserialize as insecure. This is not a good
situation, and presently there are no way to avoid it except dropping
serialize() completely - which may not be an option is some cases and in
any case would require serious changes to the production code.
This enhancement is to fix this problem. It is not to change best
practices or give advice on how to write the most secure system - it is
to make existing code more secure easily.
An alternative to whitelisting or forbidding unserialization of classes
is to sign your serialized data. We do this in a couple of places where
users have access to serialized data (cookies, forms). There's a private
key on the server and serialized data is encoded with a signature at the
end. Users cannot directly modify the serialized data because they can't
resign it without the key. The server rejects invalid signatures before
unserializing.
Maybe PHP core could add signed_serialize($data, $key) and
signed_unserialize($data, $key).
Cheers,
Mike
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
