> Have a situation where I want to unserialize a string received from an
> untrusted source over HTTP (a Javascript client in this case). For
> basic types this is no concern but when it comes to objects, would be
> nice to be able to restrict the class of object to a member of a known
> list, to prevent "unplanned objects" being created from classes which
> happened to be defined but were not intended for unserialization (such
> as the growing number pre-loaded classes in PHP5), and the possible
> security issues that might introduce.
>
if (preg_match_all('(^|:|\{)O:\d+:(.*?):', $serializedString, $matches,
PREG_PATTERN_ORDER)) {
/* Serialized data contains objects */
foreach($matches[1] as $match) {
$class = trim($match, "'\"");
if (in_array($class, $bad_classes)) die("Bad hacker, no cookie for
you!");
}
}
Something along the lines of the above should do the trick, it's got some
shortcomings, but they're the type to give false positives rather than act
as security holes..... Though considering the fact that it'd be more
trustable/reliable to implement in unserialize itself and not a complicated
check to include anyway, I'd say "sure, why not".
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
