Re: Re: [PHP-DEV] [RFC] more secure unserialize()

From:	Michael Gauthier	Date:	Tue, 02 Apr 2013 18:03:33 +0000
Subject:	Re: Re: [PHP-DEV] [RFC] more secure unserialize()
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 2013-03-31 00:27, Stas Malyshev wrote:
Hi!


I think Stas proposes a solution to the problem and I think Anthony
proposes a viable alternative. I would say that Anthony has found the
shortest distance between the two points (the problem and the solution),
however.

The fact is that people do use serialize() for data that may be
accessible by the user (or made accessible by unrelated security issues,
which may be upgraded in severity by this - e.g. from SQL injection to
persistent code backdoor on the server). There are many ways to do
things differently, and they are known. However, as I said, the fact is
people do use serialize() and may not even realize the data aren't as
secure as they are. That's why many security tools flag any object with
dtor in application using unserialize as insecure. This is not a good
situation, and presently there are no way to avoid it except dropping
serialize() completely - which may not be an option is some cases and in
any case would require serious changes to the production code.

This enhancement is to fix this problem. It is not to change best
practices or give advice on how to write the most secure system - it is
to make existing code more secure easily.


An alternative to whitelisting or forbidding unserialization of classes is to sign your serialized data. We do this in a couple of places where users have access to serialized data (cookies, forms). There's a private key on the server and serialized data is encoded with a signature at the end. Users cannot directly modify the serialized data because they can't resign it without the key. The server rejects invalid signatures before unserializing.

Maybe PHP core could add signed_serialize($data, $key) and signed_unserialize($data, $key).

Cheers,
Mike


   

Thread (15 messages)

• Stas MalyshevSun, 31 Mar 2013 02:54:18 +0000
  • Anthony FerraraSun, 31 Mar 2013 03:05:11 +0000
    • Sherif RamadanSun, 31 Mar 2013 03:12:47 +0000
      • Stas MalyshevSun, 31 Mar 2013 03:27:25 +0000
        • Sanford WhitemanSun, 31 Mar 2013 05:04:38 +0000
          • Stas MalyshevSun, 31 Mar 2013 05:42:06 +0000
            • Sanford WhitemanSun, 31 Mar 2013 07:59:03 +0000
        • Anthony FerraraSun, 31 Mar 2013 12:04:50 +0000
        • Nikita PopovSun, 31 Mar 2013 18:36:38 +0000
          • Stas MalyshevMon, 01 Apr 2013 19:18:43 +0000
            • Steve ClayMon, 01 Apr 2013 19:46:38 +0000
        • Steve ClaySun, 31 Mar 2013 18:46:21 +0000
          • ALeXSun, 31 Mar 2013 21:18:16 +0000Re: [lists.php] Re: [PHP-DEV] [RFC] more secure unserialize()
            • Ángel GonzálezSun, 31 Mar 2013 21:27:59 +0000Re: Re: [lists.php] Re: [PHP-DEV] [RFC] more secure unserialize()
        • Michael GauthierTue, 02 Apr 2013 18:03:33 +0000Re: Re: [PHP-DEV] [RFC] more secure unserialize()