Re: [RFC] more secure unserialize()

From: Date: Sun, 31 Mar 2013 05:04:38 +0000
Subject: Re: [RFC] more secure unserialize()
References: 1 2 3 4  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
> This is not a good situation, and presently there are no way to
> avoid it except dropping serialize() completely - which may not be
> an option is some cases and in any case would require serious
> changes to the production code.

And what about automatic un/serialize() of objects in $_SESSION?
People don't even see those function calls in their code, so dropping
the function/ality would be a wildly drastic move.

IMO, there's a minefield of "most surprise" to worry about unless you
tread gently, as in your suggestion of an extra param. And probably
want two optional PHP.INI settings: one for when unserialize() is
called automatically (so you can't pass it anything), and one for when
unserialize() is called in user code without a second argument but you
want a default whitelist to be applied (say, to instantly "harden" a
codebase and sort out consequences later).

-- S.

Thread (15 messages)

« previous php.internals (#66867) next »