On Wed, Apr 17, 2019 at 12:44 AM Stanislav Malyshev
wrote:
> Hi!
>
> > 2. Improve caller control on unserialization. Change the signature to
> > public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and
> > invoke the behavior similar to how unserialize itself works. Since all
> > o
Hi!
> 2. Improve caller control on unserialization. Change the signature to
> public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and
> invoke the behavior similar to how unserialize itself works. Since all
> of this problem stems from the use of untrusted content on the phar://
>
Hi!
> This issue was discussed in this list before.
> As long as PHP calls unserialize for phar metadata, object injection is
> possible
> which may allow malicious code execution.
Right. That's why I want to make it not unserialize this data unless
it's explicitly being requested.
> I'm not sur
On Tue, Apr 16, 2019 at 10:55 PM Bishop Bettini wrote:
> On Tue, Apr 16, 2019 at 6:38 AM Yasuo Ohgaki wrote:
>
>> On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev
>> wrote:
>>
>> > Hi!
>> >
>> > > Thanks for responding to this issue.
>> > >
>> > > Will calling getMetaData still parse and
>> >
On Tue, Apr 16, 2019 at 6:38 AM Yasuo Ohgaki wrote:
> On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev
> wrote:
>
> > Hi!
> >
> > > Thanks for responding to this issue.
> > >
> > > Will calling getMetaData still parse and
> > > execute malicious code?
> >
> > If it's contained in phar and seri
On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev
wrote:
> Hi!
>
> > Thanks for responding to this issue.
> >
> > Will calling getMetaData still parse and
> > execute malicious code?
>
> If it's contained in phar and serialized data and the surrounding code
> (I understand that most techniques m
Hi!
> Thanks for responding to this issue.
>
> Will calling getMetaData still parse andÂ
> execute malicious code?
If it's contained in phar and serialized data and the surrounding code
(I understand that most techniques mentioned in the article rely on
certain vulnerable code being present) the
Hi,
Thanks for responding to this issue.
Will calling getMetaData still parse and
execute malicious code?
;__
Raymond
On Sun, 14 Apr 2019, 4:47 PM Stanislav Malyshev,
wrote:
> Hi!
>
> > I came across this article which highlights a few issues with PHP
> > deserialization techniques:
> >
>
Hi!
> I came across this article which highlights a few issues with PHP
> deserialization techniques:
>
> https://portswigger.net/daily-swig/phar-out-php-deserialization-techniques-offer-rich-pickings-for-security-researchers
PHP serialization is not meant to be used with external or
user-modify
Hello Team,
I came across this article which highlights a few issues with PHP
deserialization techniques:
https://portswigger.net/daily-swig/phar-out-php-deserialization-techniques-offer-rich-pickings-for-security-researchers
10 matches
Mail list logo
