[php-maint] Bug#639230: Re: [php5] README.Debian.security: unclear reference to unserialize() risk

Filipus Klutiero chealer at gmail.com
Tue Jan 31 23:38:47 UTC 2012

On -28163-01--10 14:59, Thijs Kinkhorst wrote:
> Hi,
>> README.Debian.security contains:
>>> Most specifically, the security team will not provide
>>> support for flaws in:
>>> - problems which are not flaws in the design of php but can be
> problematic
>>>    when used by sloppy developers (for example: not checking the contents
>>>    of a tar file before extracting it, using unserialize() on
>>>    untrusted data, or relying on a specific value of short_open_tag).
>> It is unclear to me how using unserialize() on untrusted data would
>> create a particular risk. Do you perhaps mean extract()?
> README.Debian.security is designed to be a brief overview of what is
> supported. Users that want to know more about *why* a certain technique
> can be risky, can refer to the PHP manual. On the topic of unserialize(),
> this writes:
> "If the variable being unserialized is an object, after successfully
> reconstructing the object PHP will automatically attempt to call the
> __wakeup() member function (if it exists)."
> which should clearly illustrate the risk with unserializing untrusted data.

Thank you Thijs.

I understand from Thijs's comment that the README is alluding to the 
built-in unserialize() function: 
Assuming that is correct, please consider this report a reminder to clarify.

Regarding the risks in the unserialize() function, I happen to think the 
quoted passage is far from a clear illustration and reported upstream 
about this in https://bugs.php.net/bug.php?id=60941

More information about the pkg-php-maint mailing list