Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Data serialization and security
  • PHP Coding Standards General 6 states that to avoid security issues caused by user input being passed to unserialize, we should use other safe data interchange format such as JSON instead.

    I saw that ORM is still using serialization data types and such (even simple auth package is using it to store profile fields). That means it can affect the security, if we want to store user input data there (which will happend for sure).

    Is Fuel secure in this case?

  • Harro VertonHarro Verton
    Accepted Answer
    The main problem with unserialize() is the fact that it can create objects from a string, which can potentionally dangerous if you don't know the source of the string.

    When it comes to Fuel, the only place where such a string can come into the application and is processed by the framework is via the request API. This issue has been addessed by security advisory SEC-CORE-004, see https://fuelphp.com/security-advisories.

    For SimpleAuth, the string is created by Auth, and comes from a database column. For the ORM, it is the same. For that to become a problem, it means your database and your data must be compromised, in which case you have a whole other magnitude of issue than this.

    If that isn't sufficient, switch to Ormauth, which doesn't use serialized arrays. And for ORM, it only uses serialized arrays if you designed it to do so, so that is under your own control.
  • Interesting. Thank you Harro. 

    Regarding SEC-CORE-004: Is 1.8 still vulnerable? It says <= 1.7.1
  • Harro VertonHarro Verton
    Accepted Answer
    No, only version up until 1.7.1. are vulnerable.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion