Hi All, Have a situation where I want to unserialize a string received from an untrusted source over HTTP (a Javascript client in this case). For basic types this is no concern but when it comes to objects, would be nice to be able to restrict the class of object to a member of a known list, to prevent "unplanned objects" being created from classes which happened to be defined but were not intended for unserialization (such as the growing number pre-loaded classes in PHP5), and the possible security issues that might introduce.
Checking the type of class once the object has been created might be too late, depending on what the constructor does. That leaves manually parsing the serialized string in PHP, before called unserialize, as the only really safe option. Could be this is outside of the scope of intended use of unserialize() but PHP's serialized representation of data makes a pretty nice encoding for exchange with other systems and I notice others doing the same e.g.; http://www.aagh.net/projects/ruby-php-serialize http://hcs.harvard.edu/~pli/code/serialPHP.pm http://www.cpan.org/modules/by-module/PHP/JBROWN/php-serialization/ http://hurring.com/code/perl/serialize/ Serialized data is also often used with sessions which means the usual issues with shared hosts and session files (OK - smarter users avoid this but...) Perhaps unserialize could take a second (optional) argument which is a list of allowed classes to validate against. Many thanks, Harry -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
