This is an old revision of the document!
PHP RFC: Secured unserialize()
- Version: 1.0
- Date: 2013-03-29
- Author: Stas Malyshev, email@example.com
- Status: Draft
- First Published at: http://wiki.php.net/rfc/secure_unserialize
unserialize() in PHP has certain security issues, brought by the fact that serialized data can include objects with data, and once these objects are instantiated, destructors are called when they are destroyed. This could allow to inject serialized data into application which may perform actions not intended by application writer.
The proposal is to amend unserialize() function, allowing to either completely prohibit restoring objects or restrict the objects being restored to a whitelist of objects.
For this purpose, optional second parameter is added to unserialize(), which can take the following values:
- true - default value, allows all objects just as before
- false - no objects allowed
- array of class names, which list the allowed classes for unserialized objects
If the class for the object is not allowed, the object is unserialized as an object of “incomplete class”, just as it is done in a case where object's class does not exist. This means that the serialized data are roundtrip-safe with any settings, but with added security settings the unintended objects will not be accessible and their destructors and other methods will not be called.
// this will unserialize everything as before $data = unserialize($foo); // this will convert all objects into __PHP_Incomplete_Class object $data = unserialize($foo, false); // this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object $data = unserialize($foo, array("MyClass", "MyClass2"));
Backward Incompatible Changes
- No user-level BC issues should arise, as the default mode functions exactly as unserialize() works now.
Proposed PHP Version(s)
Since the current patch preserves the binary API, the change can be merged into any PHP version.
- It is not planned that unserialize_callback_func function will be called on prohibited classes as it is done on non-existing classes.
- This option is not available currently for sessions and any other functions that use unserialization without calling unserialize(). This may be added later if needed, but for sessions it is very unlikely that untrusted user data will be injected as serialized session data - in that case the problems with security are much larger as pretty much any session-based authentication will be immediately broken.
- Unserialize function: http://php.net/unserialize
- Example of unserialize() security issue: http://heine.familiedeelstra.com/security/unserialize
- Joomla unserialize() vulnerability: http://seclists.org/bugtraq/2013/Apr/173
- CubeCart unserialize() vulnerability: http://karmainsecurity.com/KIS-2013-02
- TikiWiki unserialize() vulnerability: http://www.securityfocus.com/bid/54298/info
- Invision Power Board unserialize() vulnerability: http://www.securityfocus.com/bid/56288/info
- 2013-03-29 First version published