I first posted this in the security tracker, but bantu told me that since this was not a security issue with the current phpBB code, this should rather be discussed publicly here.
So here is my original post :
So it's obviously a detail, but as we all know, evil is hiding into details. And this would only mean a couple more lines and two code changes, so the real question left in my mind is why not do it ?While investigating upon unserialize security concerns, it came to my mind that phpBB probably should prevent any object wake up while reading the file cache.
Not that phpBB currently uses classes with the concerned magic methods, but since the cache class is not meant to cache object it seems to me a good practice to enforce this in the acm_file.php.
The cache/ directory being the "easiest" to write in, someone could alter an existing cache file (or create one supposed to exist at one point) without necessarily having the full control over the server and possibly exploit the object reviving capabilities of unserialize.
Here is an detailed example of a successful use of this threat : http://www.suspekt.org/2009/12/09/advis ... erability/
After testing ways to make sure that unserialize would not treat serialized object, I came up with the following function :Benchmarking this shows that unserialize is only 10% faster. This makes this proposal for a safe unserialization a lot faster than the ones relying on a full replacement of the original function (being pretty much all around 10 times slower than the original).Code: Select all
/** * mixed safe_unserialize(string $serialized) * Safely unserialize, that is only unserialize string, numbers and arrays, not objects * * @param string $serialized * @return mixed */ function safe_unserialize($serialized) { // unserialize will return false for object declared with small cap o // as well as if there is any ws between O and : if (is_string($serialized) && strpos($serialized, "\0") === false) { if (strpos($serialized, 'O:') === false) { // the easy case, nothing to worry about return @unserialize($serialized); } else if (!preg_match('/(^|;|{|})O:[0-9]+:"/', $serialized)) { // in case we did have a string with O: in it, // but it was not a true serialized object return @unserialize($serialized); } } return false; }
Using this function instead in acm_file.php would ensure that the object reviving threats would be inapplicable.
I understand that you may argue that this is not truly a phpBB security issue, but even if object waking cannot currently be exploited with vanilla phpBB, it's not necessarily the case with all phpBB installations and / or with upcoming phpBB versions, and since it's not a performance issue either, it would still fell like a good practice to me to enforce the obvious : phpBB does not cache objects.