phdphd Posted August 24, 2018 Share Posted August 24, 2018 Hi All, In a recent paper about unserialization attacks ("File Operation Induced Unserialization via the “phar://”StreamWrapper") that can be found here the recommended defence is : "To prevent the exploitation of this issue it is imperative to prevent attacker-controlled data being used in the beginning of a file name used in any of the file operations which can trigger stream wrappers." Is there a way to implement this protection ? Could a regex on the filename do the job ? Thanks ! Quote Link to comment Share on other sites More sharing options...
requinix Posted August 24, 2018 Share Posted August 24, 2018 The answer is simple: don't ask users for filenames on your server, and don't use their input to decide what a filename should be on your server. That's all you have to do. 1 Quote Link to comment Share on other sites More sharing options...
phdphd Posted August 24, 2018 Author Share Posted August 24, 2018 Thanks for your answer. For example, my website allows the user to upload jpeg files. Before storing the files, in addition to doing some checks, it renames the files in such a way that there will never be two files bearing the same name. Later, when the website displays those images, it first checks whether the corresponding files exist (if (file_exists(…))). Is this approach at risk as far as unserialization attacks are concerned ? Quote Link to comment Share on other sites More sharing options...
requinix Posted August 24, 2018 Share Posted August 24, 2018 As long as the original filename has no bearing on the filename used on your server, yes. Quote Link to comment Share on other sites More sharing options...
phdphd Posted August 25, 2018 Author Share Posted August 25, 2018 Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.