On Wed, Jan 30, 2019 at 10:20 AM Nicolas Grekas < [email protected]> wrote:
> Hi Nikita, > > https://wiki.php.net/rfc/custom_object_serialization >> > > In the RFC, you mention that "Executing arbitrary code in the middle of > unserialization is dangerous and has led to numerous unserialize() > vulnerabilities in the past. For this reason __wakeup() calls are now > delayed until the end of unserialization." > > How about destructors? > Some vulnerabilities come from destructors doing things with unserialized > state. > Would it be possible/a good idea to *not* call any destructors unless the > "wakeup" stage has been successful? Any exceptions thrown during > __wakeup/__unserialize would mean the unserialized data structure should be > destroyed without calling any destructors? > WDYT? > This is already how it works. If a class has __wakeup and unserialization fails (or call of __wakeup fails), then we will not call the destructor. (The same would be true for __unserialize under this proposal.) Nikita
