[php-maint] PHP security policy review

Raphael Geissert geissert at debian.org
Wed Jun 30 19:37:40 UTC 2010


On Wednesday 30 June 2010 12:10:38 Nico Golde wrote:
> * Raphael Geissert <geissert at debian.org> [2010-06-30 11:17]:
> > >  - problems which are not flaws in the design of php but can be
> > >  problematic
> > > 
> > > -  when used by sloppy developers (for example, not checking the
> > > contents -  of a tar file before extracting it).
> > > +  when used by sloppy developers (for example: not checking the
> > > contents +  of a tar file before extracting it, using unserialize() on
> > > +  untrusted data, or relying on a specific value of short_open_tag).
> > 
> > To include unserialize() and ini settings such as short_open_tag.
> 
> Using unserialize() on user input is imho not necessary sloppy, I'd put
> that into its own sentence. While the unserialize() implementation is
> known to be problematic security wise it's use is not discouraged, there
> is no security hint on the php site itself and it's widely in use.

The problems I see with unserialize are:
* Some, sloppy, apps unserialize and trust the result (often done with the 
values of $_COOKIE too, whether serialized or not.)
* If used in conjunction with classes, depending on the available classes 
(either already loaded, or available via __autoload,) it can lead to 
unexpected results or even code execution.

Both cases are independent of the correct parsing of the input data by 
unserialize().

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net



More information about the pkg-php-maint mailing list