common_functions.inc.php

ralfbecker_sf 2016-03-27 08:41:04 UTC #1

Author: ralfbecker
New Revision: 55527

URL: http://svn.stylite.de/viewvc/egroupware?rev=55527&view=rev
Log:
for PHP 7.0+ prefer new 2. unserialize parameter [“allowed_classes”=>false] for our php_safe_unserialize over our regular expression solution giving some false positives

Modified:
trunk/phpgwapi/inc/common_functions.inc.php

Modified: trunk/phpgwapi/inc/common_functions.inc.php
URL: http://svn.stylite.de/viewvc/egroupware/trunk/phpgwapi/inc/common_functions.inc.php?rev=55527&r1=55526&r2=55527&view=diff

— trunk/phpgwapi/inc/common_functions.inc.php (original)
+++ trunk/phpgwapi/inc/common_functions.inc.php Sun Mar 27 10:41:04 2016
@@ -1703,15 +1703,22 @@
*

Should be used for all external content, to guard against exploidts.

- PHP 7.0+ can be told not to instanciate any classes (and calling eg. it’s destructor).
- In fact it instanciates it as __PHP_Incomplete_Class without any methods and therefore disarming threads.
- @param string $str
- @return mixed
  */
  function php_safe_unserialize($str)
  {
if (PHP_VERSION >= 7)
{

  return unserialize($str, array('allowed_classes' => false));

}
if ((strpos($str, ‘O:’) !== false || strpos($str, ‘C:’) !== false) &&
preg_match(’/(^|;|{)[OC]:\d+:"/’, $str))
{

  error_log(__METHOD__."('$str') contains objects --> return false");

```
  error_log(__METHOD__."('$str') contains objects --> return NULL");
  return null;	// null, not false, to not trigger behavior of returning string itself to app code
```
}
return unserialize($str);
@@ -1727,19 +1734,39 @@
“O:20:“Horde_Prefs_Identity”:2:{s:9:”\x00*\x00_prefs";O:11:“Horde_Prefs”:2:{s:8:"\x00*\x00_opts";a:1:{s:12:“sizecallback”;" => false,
“a:2:{i:0;O:12:“Horde_Config”:1:{s:13:”\x00*\x00_oldConfig";s:#{php_injection.length}:"#{php_injection}";}i:1;s:13:“readXMLConfig”;}}" => false,
‘a:6:{i:0;i:0;i:1;d:2;i:2;s:4:“ABCD”;i:3;r:3;i:4;O:8:“my_Class”:2:{s:1:“a”;r:6;s:1:“b”;N;};i:5;C:16:“SplObjectStorage”:14:{x:i:0;m:a:0:{}}’ => false,
```
  serialize(new stdClass()) => false,
```

  serialize(array(new stdClass(), new SplObjectStorage())) => false,
  // string content, safe to unserialize
  serialize('O:8:"stdClass"') => true,
  serialize('C:16:"SplObjectStorage"') => true,
  serialize(array('a' => 'O:8:"stdClass"', 'b' => 'C:16:"SplObjectStorage"')) => true,

  // false positive: failing our tests, because it has correct delimiter (^|;|{) in front of pattern :-(

  // false positive: failing our php<7 regular expression, because it has correct delimiter (^|;|{) in front of pattern :-(
  serialize('O:8:"stdClass";C:16:"SplObjectStorage"') => true,

) as $str => $result)
{

  if ((bool)php_safe_unserialize($str) !== $result)

  if ((bool)($r=php_safe_unserialize($str)) !== $result)
  {
  	if (!$result)
  	{

```
  		echo "FAILED: $str\n";
```

```
  		if (PHP_VERSION >= 7)
```
```
  		{
```

  			if (preg_match_all('/([^ ]+) Object\(/', array2string($r), $matches))

```
  			{
```
```
  				foreach($matches[1] as $class)
```
```
  				{
```

  					if (!preg_match('/^__PHP_Incomplete_Class(#\d+)?$/', $class))

```
  					{
```
```
  						echo "FAILED: $str\n";
```
```
  						continue 2;
```
```
  					}
```
```
  				}
```
```
  			}
```

  			echo "passed: ".array2string($str)." = ".array2string($r)."\n";

```
  		}
```
```
  		else
```
```
  		{
```
```
  			echo "FAILED: $str\n";
```
```
  		}
  	}
  	else
  	{
```

@@ -1750,6 +1777,7 @@
{
echo “passed: $str\n”;
}

  //echo "result=".array2string($result).", php_save_unserialize('".htmlspecialchars($str)."') = ".array2string(php_safe_unserialize($str))." --> ".array2string((bool)php_safe_unserialize($str))."\n";

}
}*/

Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140

eGroupWare-cvs mailing list
eGroupWare-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-cvs