Fix GH-21682: Add NOT_SERIALIZABLE to ZipArchive, XMLWriter, XMLReader, SNMP, tidy, tidyNode#21694
Fix GH-21682: Add NOT_SERIALIZABLE to ZipArchive, XMLWriter, XMLReader, SNMP, tidy, tidyNode#21694iliaal wants to merge 2 commits intophp:masterfrom
Conversation
iliaal
force-pushed
the
fix/gh-21682-ziparchive-not-serializable
branch
from
b7a9957 to
b668c21
Compare
|
One thing to keep in mind is that it may introduce issues analogous to #8996 |
|
Serializing these classes today: Re child classes and GH-8996: only Happy to switch to the DOM-style custom handler if you'd prefer that over |
ndossche
left a comment
ndossche
left a comment
There was a problem hiding this comment.
Fair enough, see my nitpick remark.
ext/zip/tests/bug72434.phpt
Outdated
| @@ -1,29 +1,17 @@ | |||
| --TEST-- | |||
| Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize | |||
| --EXTENSIONS-- | |||
There was a problem hiding this comment.
This test should be moved to ext/zip/tests
There was a problem hiding this comment.
fair enough, moved as asked.
DanielEScherzer
left a comment
DanielEScherzer
left a comment
There was a problem hiding this comment.
Re child classes and #8996: only tidyNode is final, but unlike DOM none of these classes can capture or restore their internal C state
ZipArchive will have a way to capture this soon with #21497, see https://github.com/tstarling/php-src/blob/de15d91b44fe56d7e02c4ada8e6e7c0ea13ef146/ext/zip/tests/ZipArchive_closeString_basic.phpt, so allowing subclasses to be serialized might be useful - can you split out the ZipArchive changes? In the absence of a maintainer for ext/zip we should at least give more consideration after #21497 before deciding to prevent subclass serialization
…ND_TRIPPABLE These classes wrap native C handles and silently lose state through property restoration. Matches php/php-src#21694 which adds NOT_SERIALIZABLE to them; the explicit list protects older PHP versions where the flag isn't set yet.
Granted, I'll split the ZipArchive change into its own PR so the other changes can go in. We can revisit Zip once #21497 merges and we see what subclasses actually need. |
These classes wrap native C handles (libxml2 writer/reader, SNMP session, libTidy document/node) that cannot survive serialization. Unserializing produces a broken object with NULL internal pointers.
bug72479.phpt tested a UAF via unserialize() of SNMP. With NOT_SERIALIZABLE, unserialize() rejects the class entirely, preventing the UAF by construction. Update the test to verify the rejection.
iliaal
force-pushed
the
fix/gh-21682-ziparchive-not-serializable
branch
from
602c0b0 to
119e9dd
Compare
DanielEScherzer
dismissed
their stale review
PR title needs to be updated, but otherwise no remaining objections about ZipArchive
3 participants
Part of #21682
Five classes wrap native C handles but allow serialization. Unserializing them produces objects with NULL internal pointers.
Segfault:
tidyNode(ext/tidy): crashes onhasChildren(), danglingTidyNodepointerSilent data loss:
tidy(ext/tidy):body()returns NULL,cleanRepair()no-opsSNMP(ext/snmp): methods run against a dead session without errorThrows on use:
XMLWriter(ext/xmlwriter): methods throw "Invalid or uninitialized XMLWriter object"XMLReader(ext/xmlreader):read()throws "Data must be loaded before reading"Adds
@not-serializableto all five soserialize()throws instead of producing broken objects.The UAF exploit test
bug72479.phptinstantiated SNMP viaunserialize(). WithNOT_SERIALIZABLE,unserialize()rejects the class and closes the UAF vector.ZipArchive moved to a follow-up PR after review feedback.