rfc:secure_unserialize

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rfc:secure_unserialize [2013/03/30 05:22]
stas [Proposed PHP Version(s)]
rfc:secure_unserialize [2017/09/22 13:28]
Line 1: Line 1:
-====== PHP RFC: Secured unserialize() ====== 
-  * Version: 1.0 
-  * Date: 2013-03-29  
-  * Author: Stas Malyshev, stas@php.net 
-  * Status: Draft  
-  * First Published at: http://wiki.php.net/rfc/secure_unserialize 
  
-===== Introduction ===== 
- 
-unserialize() in PHP has certain security issues, brought by the fact that serialized data can 
-include objects with data, and once these objects are instantiated, destructors are called when they 
-are destroyed. This could allow to inject serialized data into application which may perform actions not intended by application writer. 
- 
-===== Proposal ===== 
- 
-The proposal is to amend unserialize() function, allowing to either completely prohibit restoring objects or restrict the objects being restored to a whitelist of objects. 
- 
-For this purpose, optional second parameter is added to unserialize(), which can take the following values: 
- 
-  * true - default value, allows all objects just as before 
-  * false - no objects allowed 
-  * array of class names, which list the allowed classes for unserialized objects 
- 
-If the class for the object is not allowed, the object is unserialized as an object of "incomplete class", just as it is done in a case where object's class does not exist. This means that the serialized data are roundtrip-safe with any settings, but with added security settings the unintended objects will not be accessible and their destructors and other methods will not be called.  
- 
-** Examples ** 
-<code php> 
-// this will unserialize everything as before 
-$data = unserialize($foo);  
-// this will convert all objects into __PHP_Incomplete_Class object 
-$data = unserialize($foo, false);  
-// this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object 
-$data = unserialize($foo, array("MyClass", "MyClass2"));  
-</code> 
- 
-===== Backward Incompatible Changes ===== 
- 
-   * No user-level BC issues should arise, as the default mode functions exactly as unserialize() works now.  
-   * It is not clear yet it it's possible to preserve binary API with this change.  
-===== Proposed PHP Version(s) ===== 
- 
-The target version depends on if the patch can be made that preserves binary API. 
-===== Other issues ==== 
- 
-  * It is not planned that unserialize_callback_func function will be called on prohibited classes as it is done on non-existing classes.  
-  * This option is not available currently for sessions and any other functions that use unserialization without calling unserialize(). This may be added later if needed.  
- 
-===== References ===== 
- 
-   * Unserialize function: http://php.net/unserialize 
-   * Example of unserialize() security issue: http://heine.familiedeelstra.com/security/unserialize 
- 
-===== Changelog ===== 
- 
-  - 2013-03-29 First version published 
rfc/secure_unserialize.txt · Last modified: 2017/09/22 13:28 (external edit)