[php-maint] Bug#639230: Re: [php5] README.Debian.security: unclear reference to unserialize() risk
Filipus Klutiero
chealer at gmail.com
Tue Jan 31 23:38:47 UTC 2012
On -28163-01--10 14:59, Thijs Kinkhorst wrote:
> Hi,
>
>> README.Debian.security contains:
>>> Most specifically, the security team will not provide
>>> support for flaws in:
>>>
>>> - problems which are not flaws in the design of php but can be
> problematic
>>> when used by sloppy developers (for example: not checking the contents
>>> of a tar file before extracting it, using unserialize() on
>>> untrusted data, or relying on a specific value of short_open_tag).
>> It is unclear to me how using unserialize() on untrusted data would
>> create a particular risk. Do you perhaps mean extract()?
> README.Debian.security is designed to be a brief overview of what is
> supported. Users that want to know more about *why* a certain technique
> can be risky, can refer to the PHP manual. On the topic of unserialize(),
> this writes:
>
> "If the variable being unserialized is an object, after successfully
> reconstructing the object PHP will automatically attempt to call the
> __wakeup() member function (if it exists)."
>
> which should clearly illustrate the risk with unserializing untrusted data.
Thank you Thijs.
I understand from Thijs's comment that the README is alluding to the
built-in unserialize() function:
http://ca.php.net/manual/en/function.unserialize.php
Assuming that is correct, please consider this report a reminder to clarify.
Regarding the risks in the unserialize() function, I happen to think the
quoted passage is far from a clear illustration and reported upstream
about this in https://bugs.php.net/bug.php?id=60941
More information about the pkg-php-maint
mailing list