phdphd Posted August 24, 2018 Share Posted August 24, 2018 Hi All, In a recent paper about unserialization attacks ("File Operation Induced Unserialization via the “phar://”StreamWrapper") that can be found here the recommended defence is : "To prevent the exploitation of this issue it is imperative to prevent attacker-controlled data being used in the beginning of a file name used in any of the file operations which can trigger stream wrappers." Is there a way to implement this protection ? Could a regex on the filename do the job ? Thanks ! Link to comment Share on other sites More sharing options...
requinix Posted August 24, 2018 Share Posted August 24, 2018 The answer is simple: don't ask users for filenames on your server, and don't use their input to decide what a filename should be on your server. That's all you have to do. Link to comment Share on other sites More sharing options...
phdphd Posted August 24, 2018 Author Share Posted August 24, 2018 Thanks for your answer. For example, my website allows the user to upload jpeg files. Before storing the files, in addition to doing some checks, it renames the files in such a way that there will never be two files bearing the same name. Later, when the website displays those images, it first checks whether the corresponding files exist (if (file_exists(…))). Is this approach at risk as far as unserialization attacks are concerned ? Link to comment Share on other sites More sharing options...
requinix Posted August 24, 2018 Share Posted August 24, 2018 As long as the original filename has no bearing on the filename used on your server, yes. Link to comment Share on other sites More sharing options...
phdphd Posted August 25, 2018 Author Share Posted August 25, 2018 Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.