.. _security-unserializesecondarg: .. _unserialize-second-arg: Unserialize Second Arg ++++++++++++++++++++++ Since PHP 7, `unserialize() `_ function has a second argument that limits the classes that may be unserialized. In case of a breach, this is limiting the classes accessible from `unserialize() `_. One way to exploit unserialize, is to make PHP unserialized the data to an available class, may be one that may be auto-loaded. .. code-block:: php connect(); // unsafe unserialization : $var may be of any type that was in the serialized string // although, here, this is working well. $serialized = 'O:7:"dbClass":0:{}'; $var = unserialize($serialized); $var->connect(); // unsafe unserialization : $var is not of the expected type. // and, here, this will lead to disaster. $serialized = 'O:10:"debugClass":0:{}'; $var = unserialize($serialized); $var->connect(); ?> See also `unserialize() `_, `Securely Implementing (De)Serialization in PHP `_ and `Remote code execution via PHP [Unserialize] `_. Connex PHP features ------------------- + `serialization `_ Suggestions ___________ * Add a list of class as second argument of any call to unserialize(). This is valid for PHP 7.0 and later. Specs _____ +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Short name | Security/UnserializeSecondArg | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Rulesets | :ref:`All `, :ref:`Changed Behavior `, :ref:`Security ` | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Exakat since | 0.8.4 | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | PHP Version | With PHP 7.0 and more recent | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Severity | Critical | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Time To Fix | Quick (30 mins) | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Precision | High | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Examples | :ref:`case-piwigo-security-unserializesecondarg`, :ref:`case-livezilla-security-unserializesecondarg` | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Available in | `Entreprise Edition `_, `Exakat Cloud `_ | +--------------+-------------------------------------------------------------------------------------------------------------------------+