[php-maint] Bug#639230: Re: [php5] README.Debian.security: unclear reference to unserialize() risk
chealer at gmail.com
Tue Jan 31 23:38:47 UTC 2012
On -28163-01--10 14:59, Thijs Kinkhorst wrote:
>> README.Debian.security contains:
>>> Most specifically, the security team will not provide
>>> support for flaws in:
>>> - problems which are not flaws in the design of php but can be
>>> when used by sloppy developers (for example: not checking the contents
>>> of a tar file before extracting it, using unserialize() on
>>> untrusted data, or relying on a specific value of short_open_tag).
>> It is unclear to me how using unserialize() on untrusted data would
>> create a particular risk. Do you perhaps mean extract()?
> README.Debian.security is designed to be a brief overview of what is
> supported. Users that want to know more about *why* a certain technique
> can be risky, can refer to the PHP manual. On the topic of unserialize(),
> this writes:
> "If the variable being unserialized is an object, after successfully
> reconstructing the object PHP will automatically attempt to call the
> __wakeup() member function (if it exists)."
> which should clearly illustrate the risk with unserializing untrusted data.
Thank you Thijs.
I understand from Thijs's comment that the README is alluding to the
built-in unserialize() function:
Assuming that is correct, please consider this report a reminder to clarify.
Regarding the risks in the unserialize() function, I happen to think the
quoted passage is far from a clear illustration and reported upstream
about this in https://bugs.php.net/bug.php?id=60941
More information about the pkg-php-maint