php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73258 SplObjectStorage unserialize allows use of non-object as key
Submitted: 2016-10-06 13:39 UTC Modified: 2016-10-13 10:37 UTC
From: yannayl at checkpoint dot com Assigned: stas
Status: Closed Package: SPL related
PHP Version: 7.0.11 OS:
Private report: No CVE-ID:
 [2016-10-06 13:39 UTC] yannayl at checkpoint dot com
Description:
------------
SplObjectStorage::unserialize does not sanitize the unserialized input well enough and may pass reference to object as key in the object storage.

lines 801-809 in ext/spl/spl_observer.c unserialize the entry and verify that it's of type IS_OBJECT

```
        if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
            goto outexcept;
        }
        if (Z_TYPE(entry) != IS_OBJECT) {
            zval_ptr_dtor(&entry);
            goto outexcept;
        }
```

Then, in line 812, the following code executes
```
            if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
```

If the parsed string is a reference (R:) to the entry zval, then the php_var_unserialize_internal() function will convert the entry to zval of type IS_REFERENCE (reference to the object).

Technically, this is a type-confusion, but I don't think it's (remotely) exploitable. I am reporting it as `security` just to be safe.

Test script:
---------------
<?php
$x = unserialize('a:2:{i:0;O:8:"stdclass":0:{}i:1;C:16:"SplObjectStorage":24:{x:i:1;r:2;,R:5;;m:a:0:{}}}');

if ($x[1]->contains($x[0])) {
    echo "expected\n";
} else {
    echo "unexpected\n";
}


Expected result:
----------------
"expected" should be printed.

Actual result:
--------------
"unexpected" is printed.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-07 04:54 UTC] yannayl at checkpoint dot com
Note: the test script may trigger bug #73257, which is a security issue. So please don't make this bug public before fixing #73527.
 [2016-10-11 05:56 UTC] stas@php.net
-PHP Version: 7.1Git-2016-10-06 (Git) +PHP Version: 7.0.11
 [2016-10-11 05:56 UTC] stas@php.net
The fix is in security repo as 61cdd1255d5b9c8453be71aacbbf682796ac77d4 and in https://gist.github.com/878035c897be04617d38f15449b59797

please verify
 [2016-10-11 05:57 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-11 23:52 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-11 23:53 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-11 23:53 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-10-12 14:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-13 10:37 UTC] yannayl at checkpoint dot com
Looks good
 [2016-10-14 01:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC