rfc:secure_unserialize

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
rfc:secure_unserialize [2013/03/30 05:21] – [Backward Incompatible Changes] stasrfc:secure_unserialize [2014/10/27 07:47] stas
Line 3: Line 3:
   * Date: 2013-03-29    * Date: 2013-03-29 
   * Author: Stas Malyshev, stas@php.net   * Author: Stas Malyshev, stas@php.net
-  * Status: Draft +  * Status: In Discussion 
   * First Published at: http://wiki.php.net/rfc/secure_unserialize   * First Published at: http://wiki.php.net/rfc/secure_unserialize
 +  * Patch: https://github.com/php/php-src/pull/315
 ===== Introduction ===== ===== Introduction =====
  
Line 37: Line 37:
  
    * No user-level BC issues should arise, as the default mode functions exactly as unserialize() works now.     * No user-level BC issues should arise, as the default mode functions exactly as unserialize() works now. 
-   * It is not clear yet it it's possible to preserve binary API with this change.  
-===== Proposed PHP Version(s) ===== 
  
-The change can be merged into any PHP version since it does not involve backwards-incompatible changes either on API level or on language level. +===== Proposed PHP Version(s) =====
  
 +Since the current patch preserves the binary API, the change can be merged into any PHP version.
 ===== Other issues ==== ===== Other issues ====
  
   * It is not planned that unserialize_callback_func function will be called on prohibited classes as it is done on non-existing classes.    * It is not planned that unserialize_callback_func function will be called on prohibited classes as it is done on non-existing classes. 
-  * This option is not available currently for sessions and any other functions that use unserialization without calling unserialize(). This may be added later if needed. +  * This option is not available currently for sessions and any other functions that use unserialization without calling unserialize(). This may be added later if needed, but for sessions it is very unlikely that untrusted user data will be injected as serialized session data - in that case the problems with security are much larger as pretty much any session-based authentication will be immediately broken 
  
 ===== References ===== ===== References =====
Line 52: Line 51:
    * Example of unserialize() security issue: http://heine.familiedeelstra.com/security/unserialize    * Example of unserialize() security issue: http://heine.familiedeelstra.com/security/unserialize
  
 +===== See also =====
 +   * Joomla unserialize() vulnerability: http://seclists.org/bugtraq/2013/Apr/173
 +   * CubeCart unserialize() vulnerability: http://karmainsecurity.com/KIS-2013-02
 +   * TikiWiki unserialize() vulnerability: http://www.securityfocus.com/bid/54298/info
 +   * Invision Power Board unserialize() vulnerability: http://www.securityfocus.com/bid/56288/info
 ===== Changelog ===== ===== Changelog =====
  
   - 2013-03-29 First version published   - 2013-03-29 First version published
rfc/secure_unserialize.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools