[php-maint] PHP security policy review
Raphael Geissert
geissert at debian.org
Wed Jun 30 19:37:40 UTC 2010
On Wednesday 30 June 2010 12:10:38 Nico Golde wrote:
> * Raphael Geissert <geissert at debian.org> [2010-06-30 11:17]:
> > > - problems which are not flaws in the design of php but can be
> > > problematic
> > >
> > > - when used by sloppy developers (for example, not checking the
> > > contents - of a tar file before extracting it).
> > > + when used by sloppy developers (for example: not checking the
> > > contents + of a tar file before extracting it, using unserialize() on
> > > + untrusted data, or relying on a specific value of short_open_tag).
> >
> > To include unserialize() and ini settings such as short_open_tag.
>
> Using unserialize() on user input is imho not necessary sloppy, I'd put
> that into its own sentence. While the unserialize() implementation is
> known to be problematic security wise it's use is not discouraged, there
> is no security hint on the php site itself and it's widely in use.
The problems I see with unserialize are:
* Some, sloppy, apps unserialize and trust the result (often done with the
values of $_COOKIE too, whether serialized or not.)
* If used in conjunction with classes, depending on the available classes
(either already loaded, or available via __autoload,) it can lead to
unexpected results or even code execution.
Both cases are independent of the correct parsing of the input data by
unserialize().
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the pkg-php-maint
mailing list