45 lines
1.1 KiB
Plaintext
45 lines
1.1 KiB
Plaintext
|
=== How to fix it in Laminas
|
||
|
|
|
||
|
|
The following code is vulnerable to deserialization attacks because it
|
||
|
|
deserializes HTTP data without validating it first.
|
||
|
|
|
||
|
|
==== Noncompliant code example
|
||
|
|
|
||
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
||
|
|
----
|
||
|
|
$serializer = new Adapter\PhpSerialize();
|
||
|
|
$session = $serializer->unserialize($_COOKIE['session']); // Noncompliant
|
||
|
|
return new ViewModel([
|
||
|
|
"auth" => $session->auth
|
||
|
|
]);
|
||
|
|
----
|
||
|
|
|
||
|
|
==== Compliant solution
|
||
|
|
|
||
|
|
[source,php,diff-id=1,diff-type=compliant]
|
||
|
|
----
|
||
|
|
$serializer = new Adapter\Json();
|
||
|
|
$session = $serializer->unserialize($_COOKIE['session']);
|
||
|
|
return new ViewModel([
|
||
|
|
"auth" => $session['auth']
|
||
|
|
]);
|
||
|
|
----
|
||
|
|
|
||
|
|
=== How does this work?
|
||
|
|
|
||
|
|
include::../../common/fix/introduction.adoc[]
|
||
|
|
|
||
|
|
include::../../common/fix/safer-serialization.adoc[]
|
||
|
|
|
||
|
|
The example compliant code uses the `Json` adapter to perform the
|
||
|
|
deserialization. This one will not carry out any automatic object instantiation
|
||
|
|
and is thus safer than its `PhpSerialize` counterpart.
|
||
|
|
|
||
|
|
include::../../common/fix/integrity-check.adoc[]
|
||
|
|
|
||
|
|
include::../../common/fix/pre-approved-list.adoc[]
|
||
|
|
|
||
|
|
=== Pitfalls
|
||
|
|
|
||
|
|
include::../../common/pitfalls/constant-time.adoc[]
|