On -28163-01--10 14:59, Thijs Kinkhorst wrote:
Hi,
README.Debian.security contains:
Most specifically, the security team will not provide
support for flaws in:
- problems which are not flaws in the design of php but can be
problematic
when used by sloppy developers (for example: not checking the contents
of a tar file before extracting it, using unserialize() on
untrusted data, or relying on a specific value of short_open_tag).
It is unclear to me how using unserialize() on untrusted data would
create a particular risk. Do you perhaps mean extract()?
README.Debian.security is designed to be a brief overview of what is
supported. Users that want to know more about *why* a certain technique
can be risky, can refer to the PHP manual. On the topic of unserialize(),
this writes:
"If the variable being unserialized is an object, after successfully
reconstructing the object PHP will automatically attempt to call the
__wakeup() member function (if it exists)."
which should clearly illustrate the risk with unserializing untrusted data.
Thank you Thijs.
I understand from Thijs's comment that the README is alluding to the
built-in unserialize() function:
http://ca.php.net/manual/en/function.unserialize.php
Assuming that is correct, please consider this report a reminder to clarify.
Regarding the risks in the unserialize() function, I happen to think the
quoted passage is far from a clear illustration and reported upstream
about this in https://bugs.php.net/bug.php?id=60941
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
