1.2.1275. Unserialize Second Arg¶
Since PHP 7, unserialize() function has a second argument that limits the classes that may be unserialized. In case of a breach, this is limiting the classes accessible from unserialize().
One way to exploit unserialize, is to make PHP unserialized the data to an available class, may be one that may be auto-loaded.
<?php
// safe unserialization : only the expected class will be extracted
$serialized = 'O:7:"dbClass":0:{}';
$var = unserialize($serialized, ['dbClass']);
$var->connect();
// unsafe unserialization : $var may be of any type that was in the serialized string
// although, here, this is working well.
$serialized = 'O:7:"dbClass":0:{}';
$var = unserialize($serialized);
$var->connect();
// unsafe unserialization : $var is not of the expected type.
// and, here, this will lead to disaster.
$serialized = 'O:10:"debugClass":0:{}';
$var = unserialize($serialized);
$var->connect();
?>
See also unserialize(), Securely Implementing (De)Serialization in PHP and Remote code execution via PHP [Unserialize].
1.2.1275.1. Suggestions¶
Add a list of class as second argument of any call to unserialize(). This is valid for PHP 7.0 and later.
1.2.1275.2. Specs¶
Short name |
Security/UnserializeSecondArg |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
With PHP 7.0 and more recent |
Severity |
Critical |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Features |
serialization |
Examples |
|
Available in |