An experienced PHP developer might be wondering why posting this topic in a blog if PHP already has universal and almost transparent tools for this job [...] The key statement here is "almost transparent" which means you have to include all class definitions before invoking unserialize or use some __autoload schema.

The whole problem is due to the fact a serialized object has no idea about its class definition except the class name(the reason behind that is absolutely valid). [...] That's why I decided to hack up, hopefully, a more universal solution to this problem

His method contains things inside of a "serialization container" that automagically includes everything needed before it gets serialized. His code for the method is included as well as some examples of its use.

Serialize is useful for storing or passing PHP values around without losing type and structure. But if you want to serialize a SimpleXml object, you will have some problem on unserialize with the error. [...] Replacing SimpleXMLObject with stdClass is a good idea but in this solution we loose all of attributes, and how can we make simplexml->xpath after?

The solution? Serializing the XML content and then outputting it from the SimpleXML object as an XML string (to be stored). This process is reversed when the data is needed back out.

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function.

You can get the full details from this advisory release including a recommendation to patch the installation until it is corrected in the current distribution.

This implementation uses a seperate module that abuses PHP5's overloading functionality to integrate it easily. He also looked into another solution, however - creating a "datatype map" to help with the custom automatic serialization of datatypes (not just dependant on the variable type like before). Be sure to check out the comments for more thoughts on the subject, including validation of the custom datatypes.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used.

He uses an example with PDO and a string of a serialized "supposed PDO object" to illustrate how, without the proper handling, it could lead to a fatal error in the script. The end result of the fatal error, if displaying errors is still on, could be that somewhat sensitive information could be displayed to the viewer.]]> Thu, 23 Mar 2006 06:59:23 -0600 http://www.phpdeveloper.org/news/4888 http://www.phpdeveloper.org/news/4888 the announcement of the new Yahoo! PHP Development Center, there's been a lot of buzz around the PHP community, including this new post from Harry Fuecks over on the SitePoint PHP Blog today.

Via John Cox, Yahoo! have opened up a PHP Development Center for their search APIs and, more interestingly, have started exposing their search data as serialized PHP strings. That's "serialized" as in the serialize function.

This is very cool but think a little caution is needed when using it, given that it wasn't designed to be a wire format but rather for local storage of PHP data, within a trusted environment.

In the rest of the post he looks at a few different topics - whether it's inherently safe to use, a quick look at chatacter encoding, and an example of how to use the service with the PEAR::HTTP_Request package.]]> Thu, 23 Feb 2006 07:17:43 -0600