Re: Validation of class names in the autoload process

From:	Johannes Schlüter	Date:	Thu, 17 Oct 2013 13:21:08 +0000
Subject:	Re: Validation of class names in the autoload process
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Thu, 2013-10-17 at 14:59 +0200, Jordi Boggiano wrote:
> On Thu, Oct 17, 2013 at 2:31 PM, Johannes Schlüter
> <[email protected]> wrote:
> > Are there codepaths where this can be injected from the outside? In the
> > unserializer this was prevented in
> > https://github.com/php/php-src/commit/ff8055fc5c9750482aac7a25a074aae0b1e64706
> > and some further commits, i.e.
> > https://github.com/php/php-src/commit/7126de4912d9d4c7499deb1f9239980400aa7ec7#diff-d697fc054b607bb0ffd7493daeb6a1afR616
> 
> Sorry when I said deserialize I meant this as a generic term not php's
> unserialize(). I mean say you have two types of something, and the API
> works taking a type param + some data for it, and you create it with
> something along those lines:
> 
>   $class = 'Foo\Bar\Type'.$userGivenType;
>   $obj = new $class($userData);
> 
> In this case, the autoloader would be called with whatever the user
> passed in unless you validate it, but since autoloader injection isn't
> a very common vector many devs wouldn't validate this and assume a
> happy path I guess.

I know new $class() and other ways, I was more curious about the real
security impact -- usage of unchecked class names has quite a few
security implications even without autoloader. Are there "common" ways
about how unsafe class names might be injected?

An attacker could use that to trigger "bad" constructor behavior or
such.

> IMO performance is the only valid concern, but it'll be faster done
> once in the proper way in C than done in various crappy ways in every
> userland autoloader, and it will also protect everyone at once. There
> might be edge cases not covered by invalidating "." and "NUL", but to
> keep it fast it may be best to only check for known bad chars instead
> of the full regex?

If PHP does a "minimal" check only there's nothing won. Autoloaders
still have to check according to their needs. For example on Windows
checking : is important, else I inject $classname = "c:\\foobar" as
filename and bypass one or the other autoloader. And who tells that
classes are loaded from filesystems, not database+eval, suddenly ' is
dangerous. There are tons of other examples easy to construct and we
should not pretend to be safe there.

If one takes class names from untrusted sources one has to be careful.

johannes




   

Thread (5 messages)

• Jordi BoggianoThu, 17 Oct 2013 07:27:23 +0000
  • Johannes SchlüterThu, 17 Oct 2013 12:31:55 +0000
    • Jordi BoggianoThu, 17 Oct 2013 12:59:02 +0000
      • Johannes SchlüterThu, 17 Oct 2013 13:21:08 +0000
        • Jordi BoggianoThu, 17 Oct 2013 13:49:28 +0000