Send a blank email to [email protected] to get a copy of this message
It has come to my attention that it's possible to abuse some
autoloader by trying to autoload class names like
"Foo\Bar\..\..\uploads\exploit.php" for example, which could be
transformed to src/Foo/Bar/../../uploads/exploits.php, and then would
require that file.
Obviously the code would most likely end up in fatal error because the
class is missing, but the file still gets required. This would be
possible if for some reason you use unvalidated user input to create
class names which I know I have done myself in APIs to deserialize
POSTed data to a class Foo\X or Foo\Y for example.
There are different ways to handle this, but the way I see it it would
be best handled at the php core level by simply preventing classes
containing dots (and possibly null bytes and other chars?) from ever
reaching the userland autoloaders. The other alternative is for every
autoloader out there to protect itself, inducing perf penalties and
having most autoloaders being vulnerable. It's a slim vector perhaps
but a valid one nonetheless, and I think it can be fixed at the source
without any BC issue since the only way to use classes with dots right
now is to use stuff like class_alias() to define them and then use
them through strings/var names consistently, which sounds so painful I
can't imagine why one would have ever done so.
Cheers