Hi! > Looking into the number of unserialize() related "security" issues, I > think we should fix all of them once and forever, introducing a > validation pass. > > In case something in provided data is wrong (e.g. duplicated properties > or array keys, unexpected types, invalid references, invalid property > visibility, etc), we should just return FALSE. > > I think, Stas proposed something similar some time ago.
I don't remember proposing exactly that, though the idea looks worthy to me :) I did something different though - allowing limiting unserialize to accept only certain set of classes, which alleviates some security issues, but not all of them. This probably would catch more cases, though also not all of them. As for validation pass, the only issue I foresee is handling custom serializers. We'd need to either add validation handler too (probably a good idea) or somehow handle that. Needs some investigation there. As for this specific bug, it looks like an oversight. I'm not sure why we encode visibility in the property at all... Probably for efficiency, but I think we need to be smarter there. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
