On 15.08.2017 at 23:56, Christoph M. Becker wrote:
> What about references? Consider, for instance, the following code:
>
> <?php
>
> $_POST['untrusted_input'] = 'a:1:{i:0;a:1:{i:0;R:2;}}';
>
> function flatten($array)
> {
> if (is_array($array)) {
> $result = [];
> foreach ($array as $element) {
> $result = array_merge($result, flatten($element));
> }
> return $result;
> }
> return [$array];
> }
>
> $unserializedInput = unserialize($_POST['untrusted_input'], []);
> flatten($unserializedInput);
>
> Of course, the `flatten()` function is naive, but it is fine for any
> "normal" input. However, this very code has a DOS issue. Do we really
> want to say that it is the developers responsibility to check for
> infinite recursion for code that uses the result of `unserialize(…, [])`
> in this way?
>
> It appears to me that `unserialize()` cannot ever be safe, unless class
> instantiation *and* references can be excluded. (Neither of these
> "features" are available in JSON or (supposed to be) in WDDX, by the
> way.) While the former is possible, the latter is not (yet), so in my
> humble opinion we should not try to claim that `unserialize(…, [])` is
> safe, at least unless there is a mechanism to disallow unserializing of
> references, too.
My apologies for not having read the documentation! Actually, I meant
unserialize(…, ['allowed_classes' => false])
instead of
unserialize(…, [])
--
Christoph M. Becker
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
