dcsimg
www.webdeveloper.com
Results 1 to 8 of 8

Thread: Safe Unserialization

  1. #1
    Join Date
    Sep 2006
    Posts
    683

    Question Safe Unserialization

    Hi

    As you might have heard about the Unserialization exploit , PHP 7 has overcome this issue but since it hasnt yet released, I was looking for an alternate way to implement the same in unseriallization.

    Can someone please help me with the same.

  2. #2
    Join Date
    Aug 2015
    Location
    Orlando, FL
    Posts
    5
    The safest way is to use json_encode() when saving and json_decode() when loading.

    If you're planning to trust the end user with a serialized blob, however, I'd also recommend looking into authenticated secret-key encryption. Libsodium is great; defuse/php-encryption is probably the easiest solution (we contribute significantly to it). I don't recommend a non-expert write their own OpenSSL wrapper, but if you think you can do better than Defuse Security or Paragon Initiative Enterprises, feel free.

  3. #3
    Join Date
    Sep 2006
    Posts
    683
    So is there no way we can implement PHP 7's way to handle unserialize exploit?

  4. #4
    Join Date
    Aug 2015
    Location
    Orlando, FL
    Posts
    5
    Nothing is impossible. Create a function (e.g. safe_unserialize()) with identical behavior and presto, you have a safe unserialize().

    I would recommend just waiting until PHP 7 is released. It won't be long now.

  5. #5
    Join Date
    Sep 2006
    Posts
    683
    Yes that was my question, how do I implement the *identical behavior*?

  6. #6
    Join Date
    Aug 2015
    Location
    Orlando, FL
    Posts
    5
    Quote Originally Posted by phantom007 View Post
    Yes that was my question, how do I implement the *identical behavior*?
    https://github.com/php/php-src/blob/....c#L1013-L1068

    Basically, reverse engineer the new feature by parsing the string manually. I didn't say it would be a cakewalk.

  7. #7
    Join Date
    Sep 2006
    Posts
    683
    I am trying to use the `unserialize` function with the second param that was introduced in php7 (http://www.php.net/manual/en/function.unserialize.php)
    However, it looks like php generates an error saying the second param should be an array and not a bool value https://3v4l.org/9PhpO

    Does anyone have any idea why this behaviour?

  8. #8
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    21,162
    I think (have never used it) you need to do:
    PHP Code:
    unserialize($foo, ['allowed_classes' => true]); 
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles