Fix GH-21682: Add NOT_SERIALIZABLE to ZipArchive, XMLWriter, XMLReader, SNMP, tidy, tidyNode#21694
Fix GH-21682: Add NOT_SERIALIZABLE to ZipArchive, XMLWriter, XMLReader, SNMP, tidy, tidyNode#21694iliaal wants to merge 4 commits intophp:masterfrom
Conversation
ZipArchive allowed serialization, producing a string that unserializes into an empty object with no open file handle. Add the @not-serializable annotation so serialize() throws an exception. Closes phpGH-21682
These classes wrap native C handles (libxml2 writer/reader, SNMP session, libTidy document/node) that cannot survive serialization. Unserializing produces a broken object with NULL internal pointers.
bug72479.phpt and bug72434.phpt tested UAF vulnerabilities through unserialize(). With NOT_SERIALIZABLE, unserialize() rejects these classes entirely, preventing the UAF by construction. Update tests to verify the rejection.
iliaal
force-pushed
the
fix/gh-21682-ziparchive-not-serializable
branch
from
b7a9957 to
b668c21
Compare
|
One thing to keep in mind is that it may introduce issues analogous to #8996 |
|
Serializing these classes today: Re child classes and GH-8996: only Happy to switch to the DOM-style custom handler if you'd prefer that over |
ndossche
left a comment
ndossche
left a comment
There was a problem hiding this comment.
Fair enough, see my nitpick remark.
| @@ -1,29 +1,17 @@ | |||
| --TEST-- | |||
| Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize | |||
| --EXTENSIONS-- | |||
There was a problem hiding this comment.
This test should be moved to ext/zip/tests
There was a problem hiding this comment.
fair enough, moved as asked.
Test requires the zip extension and tests ZipArchive behavior.
DanielEScherzer
left a comment
DanielEScherzer
left a comment
There was a problem hiding this comment.
Re child classes and #8996: only tidyNode is final, but unlike DOM none of these classes can capture or restore their internal C state
ZipArchive will have a way to capture this soon with #21497, see https://github.com/tstarling/php-src/blob/de15d91b44fe56d7e02c4ada8e6e7c0ea13ef146/ext/zip/tests/ZipArchive_closeString_basic.phpt, so allowing subclasses to be serialized might be useful - can you split out the ZipArchive changes? In the absence of a maintainer for ext/zip we should at least give more consideration after #21497 before deciding to prevent subclass serialization
3 participants
Fixes #21682
Six classes wrap native C handles but allow serialization. Unserializing them produces objects with NULL internal pointers.
Segfault:
tidyNode(ext/tidy): crashes onhasChildren(), danglingTidyNodepointerSilent data loss:
ZipArchive(ext/zip):numFilesreturns 0, archive contents gonetidy(ext/tidy):body()returns NULL,cleanRepair()no-opsSNMP(ext/snmp): methods run against a dead session without errorThrows on use:
XMLWriter(ext/xmlwriter): methods throw "Invalid or uninitialized XMLWriter object"XMLReader(ext/xmlreader):read()throws "Data must be loaded before reading"Adds
@not-serializableto all six soserialize()throws instead of producing broken objects.Two existing UAF exploit tests (
bug72479.phpt,bug72434.phpt) relied onunserialize()instantiating SNMP and ZipArchive objects. WithNOT_SERIALIZABLE,unserialize()rejects these classes outright, removing the UAF vector.