Stanislav Malyshev has a new post to his site talking about his proposal for a filtered unserialize change and why he sees it as a practical next step.
I have recently revived my "filtered unserialize()" RFC and I plan to put it to vote today. Before I do that, I'd like to outline the arguments on why I think it is a good thing and put it in a somewhat larger context. It is known that using unserialize() on outside data can lead to trouble unless you are very careful. Which in projects large enough usually means "always", since practically you rarely can predict all interactions amongst a million lines of code. So, what can we do?
He touches on three points that would make it difficult to just not use it this way (on external data) including the fact that there's not really any other way to work with serialized data in PHP. He suggests that by adding filtering to the unserialize handling of the language it can protect from issues around working with serialized external data.
Is this a security measure? [...] Yes, it does not provide perfect security, and yes, you should not rely only on that for security. Security, much like ogres and onions, has layers. So this is trying to provide one more layer - in case that is what you need.
Link: https://php100.wordpress.com/2014/11/03/unserialize-and-being-practical/
没有评论:
发表评论