On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > Thanks for responding to this issue. > > > > Will calling getMetaData still parse and > > execute malicious code? > > If it's contained in phar and serialized data and the surrounding code > (I understand that most techniques mentioned in the article rely on > certain vulnerable code being present) then yes. > This issue was discussed in this list before. As long as PHP calls unserialize for phar metadata, object injection is possible which may allow malicious code execution. https://github.com/php/php-src/blob/master/ext/phar/phar.c#L607 I'm not sure if Phar metadata requires object or not. If not, Phar may use JSON. Or we may add safer unserialize that ignores object and reference for maximum compatibility. Something has to be done, since we wouldn't fix memory issue(s) in unserialization. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
