问题描述
有什么办法可以限制 PHP 的 unserialize() 只能解析数组?出于安全原因.假设在我不想调用的未序列化对象中有一个邪恶的 __unserialize() 魔法方法!
Is there any way to limit PHP's unserialize() to only parse arrays?For security reasons. Suppose there is is an evil __unserialize() magic method in the unserialized object I don't wanna call!
推荐答案
有几种方法可以解决这个问题:
There are a couple of ways you could solve this problem:
- 在序列化字符串上使用正则表达式:
Piwik 修补了一个反序列化漏洞 进行以下检查:
Piwik patched an unserialize vulnerability with the following check:
if (preg_match('/^a:[0-9]+:{/', $str)
&& !preg_match('/(^|;|{|})O:\+?[0-9]+:"/', $str)
对已签名的字符串进行签名.如果您向 Cookie/POST Var 添加序列化字符串的 sha1 哈希 + 机密.您可以确定序列化的字符串没有被操纵.
Sign the signed string. If you add an sha1 Hash of the serialized string + a secret to the Cookie/POST Var. You can be sure that the serialized string isn't manipulated.
编写自己的反序列化函数.如果您只对数组感兴趣,则不需要反序列化.自己写一些东西或使用可接受的标准,如 JSON 等.
Write your own unserialize function. If you are only interested in Arrays, you don't need unserialize. Write something on your own or use an accepted standard like JSON etc.
请忽略此处未发现安全问题的所有评论.unserialize() 漏洞存在于 PHP5 应用程序中的比例高得令人难以置信,而且大多数书籍和教程甚至都没有讨论它们.
And please ignore all comments that don't see a security issue here. unserialize() vulnerabilites exists in an incredible high percentage of PHP5 Applications and most books and tutorials don't even talk about them.
这篇关于限制 unserialize() 返回数组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!