[Phpmyadmin-devel] unserialize in user preferences

Michal Čihař michal at cihar.com
Wed Feb 9 14:54:20 CET 2011


Dne Wed, 09 Feb 2011 05:31:19 -0500
Marc Delisle <marc at infomarc.info> napsal(a):

> Le 2011-02-09 05:28, Michal Čihař a écrit :
> > Hi all
> > 
> > while looking at user preferences I've noticed that it uses
> > serialize/unserialize for storing the data in database. As this
> > functions is quite famous in terms of security, I think we
> > should avoid this.
> > 
> > Any reason for not using json encoding there instead? It encodes just
> > the data and would not possibly call PHP code as unserialize could do
> > because of objects with __wakeup() methods.
> It's also used in PHPExcel, TCPDF and tracking feature.

I don't think we use that code in PHPExcel and TCPDF, however
basically same what I wrote applies to tracking. Anyway now we have
chance to make preferences use something safer, without hurting backward
compatibility, with tracking it would be harder and some backward
compatibility probably would have to be maintained.

To exploit this, somebody would have to write custom data to pmadb...

	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110209/15fbbfdd/attachment.sig>

More information about the Developers mailing list