[FIX] Fix to security issue

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

[FIX] Fix to security issue

Post by vze3k59w »

Because of the issues with < 4.3.10, I decided to make equivalent functions of serialize and unserialize... It can do anything including objects but as a security feature, it will not create the object without the class already existing. Realpath was also patched using a php.net manual function.. The code is updated here: http://www.project-minerva.org/home/vie ... e]function serializer($input)
{
if (version_compare(phpversion(), '4.3.10', '=>'))
{
return serialize($input);
}
switch (gettype($input))
{
case 'integer':
{
return 'i:'.$input.';';
}
case 'string':
{
return 's:'.strlen($input).':"'.$input.'";';
}
case 'double':
{
return 'd:'.$input.';';
}
case 'NULL':
{
return 'N;';
}
case 'boolean':
{
return 'b:'.(((bool)$input) ? '1' : '0').';';
}
case 'object':
{
$classname = get_class($input);
$class_vars = get_class_vars($classname);
$doop = '';
foreach($class_vars as $key => $value)
{
$value = $input->$key;
$doop .= serializer($key).serializer($value);
}
if (in_array('__sleep',get_class_methods($input)))
{
$vars = $input->__sleep();
$doop = '';
$class_vars = count($vars);
foreach($vars as $value)
{
$doop .= serializer($value).serializer($input->$value);
}
}
return 'O:'.strlen($classname).':"'.$classname.'":'.count($class_vars).':{'.$doop.'}';
}
case 'array':
{
$out = '';
foreach($input as $key => $value)
{
$out .= serializer($key).serializer($value);
}
return 'a:'.count($input).':{'.$out.'}';
}
}
}[/code]
Last edited by vze3k59w on Thu Dec 23, 2004 12:54 am, edited 10 times in total.
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Code: Select all

function unserializer($string, $reset = true)
{
	if (version_compare(phpversion(), '4.3.10', '=>'))
	{
		return unserialize($string);
	}
	static $stringpos = 0;
	if ($reset)
	{
		$stringpos = 0;
	}
	switch ($string{$stringpos})
	{
		case 'd':
		{
			$start = strpos($string, ':', $stringpos) + 1;
			$end = strpos($string,';', $start);
			$strdouble = substr($string, $start, $end - $start);
			$stringpos += 3 + strlen($strdouble);
			return doubleval($strdouble);
		}
		case 'O':
		{
			$start = strpos($string, ':', $stringpos) + 1;
			$end = strpos($string,':', $start);
			$stlen = substr($string, $start, $end - $start);
			$length = intval($stlen);
			$stringpos += 9 + strlen($stlen) + $length;
			$stringrt = substr($string, $end + 2, $length);
			//$out = '';
			for($i = 0; $i < $length; $i++)
			{
				$key = unserializer($string, false);
				$value = unserializer($string, false);
				/*if ($key !== '')
				{
					if (is_string($value))
					{
						$value = '"'.$value.'"';
					}
					if (is_array($value))
					{
						$value = var_export($value, true);
					}
					$out .= 'var $'.$key.'='. $value.';';
				}*/
			}
			if (class_exists($stringrt))
			{
				$object = new $stringrt;
				if (in_array('__wakeup',get_class_methods($object)))
				{
					$object->__wakeup();
				}
				$stringpos++;
				return $object;
			}
			else
			{
				return null;
			}
		}
		case 'b':
		{
			$bool = $string{$stringpos+2};
			$stringpos += 4;
			return $bool == '1';
		}
		case 'N':
		{
			$stringpos += 2;
			return 0;
		}
		case 'i':
		{
			$start = strpos($string, ':', $stringpos) + 1;
			$end = strpos($string,';', $start);
			$strint = substr($string, $start, $end - $start);
			$stringpos += 3 + strlen($strint);
			return intval($strint);
		}
		case 's':
		{
			$start = strpos($string, ':', $stringpos) + 1;
			$end = strpos($string,':', $start);
			$stlen = substr($string, $start, $end - $start);
			$length = intval($stlen);
			$stringpos += 6 + strlen($stlen) + $length;
			$stringrt = substr($string, $end + 2, $length);
			return $stringrt;
		}
		case 'a':
		{
			$start = strpos($string, ':', $stringpos) + 1;
			$end = strpos($string,':', $start);
			$stlen = substr($string, $start, $end - $start);
			$length = intval($stlen);
			$alRet = array();
			$stringpos += 4 + strlen($stlen);
			for($i = 0; $i < $length; $i++)
			{
				$key = unserializer($string, false);
				$value = unserializer($string, false);
				$alRet[$key] = $value;
			}
			$stringpos++;
			if($stringpos < strlen($string) && $string{$stringpos} == ';')
			{
				$stringpos++;
			}
			return $alRet;
		}
		default:
		{
			return '';	
		}
	}
}
Finished
Code has been updated to reflect security flaw found by chrisg, thanks chris!
Last edited by vze3k59w on Mon Dec 20, 2004 9:43 pm, edited 13 times in total.
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Changed serializer to take objects..
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

unserializer now takes objects, it is now a very good replacement of serialize and unserialize. It will give indentical output with very small overhead, any comments?
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
smithy_dll
Former Team Member
Posts: 7630
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Post by smithy_dll »

can you do a benchmark to show how much overhead exactly there is? (say with 1,000,000 trials)
Systems Engineering
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Sure.
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

After 10,000 iterations, it was fairly uneven.. the regular serializer was
Built-in: 0.31570601463318
Homemade: 4.8483929634094
Testing unserializer
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

unserializer did not as bad as the serializer and got very close to the built-in function,
Homemade: 0.92366194725037
Built-in: 0.29602408409119
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Considering that this will happen to a user twice in his whole session, its not that bad... Cause after he gets the cookies, the cookies are read and never touched again... Until he logs out (where they don't need to be written anymore, just read)
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Updated code, this site now uses the same code I use.
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Updated again, decerialization of a null returns as 0.
Wanna join a very advanced OO based modular port of phpBB? PM me :)
iloserman
Registered User
Posts: 1147
Joined: Wed Aug 20, 2003 7:45 pm
Location: My Closet Mode: Working
Contact:

Post by iloserman »

Awsome.

I was looking for something like this earlier on php.net


ILM
- Have a problem? I would love to help you out.
[ AIM ] [ MSN ] [ PM ] [ E-MAIL ] [ Website ] <- Contact info below.

Over 2,550+ users assisted, outside of phpBB. 37 Hosted.
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

It is the only code out on the net that can serialize php objects(other than php).
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Set it up to return the native function if your version of php is 4.3.10 or greater
Wanna join a very advanced OO based modular port of phpBB? PM me :)
User avatar
vze3k59w
Registered User
Posts: 485
Joined: Fri May 09, 2003 1:09 am

Post by vze3k59w »

Removed the race condition of having the class exist while you unserialize. also supported __wake and __sleep... Please kill me now, I just rewrote a system function...
Wanna join a very advanced OO based modular port of phpBB? PM me :)
Post Reply

Return to “[2.0.x] MOD Writers Discussion”