Add unserialize_noclass

author: jvoisin 2022-12-07 21:02:22 +0100
committer: jvoisin 2022-12-08 20:55:46 +0100
commit: ccfaf3e4713b1878241f1235a6fcb66ad0582d47 (patch)
tree: 97dcd84aed33b1d98095d0cf3f467e9dfb975f0c /doc/source
parent: 5966fefb9a291bd0eecd0fff9396b2b6cea4a62e (diff)
2 files changed, 16 insertions, 0 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 9d2d0ed..bce4667 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -202,6 +202,20 @@ It can either be ``enabled`` or ``disabled``.
  sp.sloppy_comparison.enable();
  sp.sloppy_comparison.disable();
+unserialize_noclass
+^^^^^^^^^^^^^^^^^^^
+ 
+:ref:`unserialize_noclass <unserialize-feature>`, available only on PHP8+ and
+disabled by default, will disable the deserialization of objects via
+``unserialize``. It's equivalent to setting the ``options`` parameter of
+``unserialize`` to ``false``, on every call. It can either be ``enabled`` or
+``disabled``.
+::
+  sp.unserialize_noclass.enable();
+  sp.unserialize_noclass.disable();
 unserialize_hmac
 ^^^^^^^^^^^^^^^^
 
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 25fd62d..60dbbef 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -166,6 +166,8 @@ CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_, `2016-7124
 <https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773
 <https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.
+A less subtle mitigation can be used to simply prevent the deserialization of objects altogether.
 Examples of related vulnerabilities
 """""""""""""""""""""""""""""""""""
author	jvoisin	2022-12-07 21:02:22 +0100
committer	jvoisin	2022-12-08 20:55:46 +0100
commit	ccfaf3e4713b1878241f1235a6fcb66ad0582d47 (patch)
tree	97dcd84aed33b1d98095d0cf3f467e9dfb975f0c /doc/source
parent	5966fefb9a291bd0eecd0fff9396b2b6cea4a62e (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index 9d2d0ed..bce4667 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -202,6 +202,20 @@ It can either be ``enabled`` or ``disabled``.
202	sp.sloppy_comparison.enable();	202	sp.sloppy_comparison.enable();
203	sp.sloppy_comparison.disable();	203	sp.sloppy_comparison.disable();
204		204
		205	unserialize_noclass
		206	^^^^^^^^^^^^^^^^^^^
		207
		208	:ref:`unserialize_noclass <unserialize-feature>`, available only on PHP8+ and
		209	disabled by default, will disable the deserialization of objects via
		210	``unserialize``. It's equivalent to setting the ``options`` parameter of
		211	``unserialize`` to ``false``, on every call. It can either be ``enabled`` or
		212	``disabled``.
		213
		214	::
		215
		216	sp.unserialize_noclass.enable();
		217	sp.unserialize_noclass.disable();
		218
205	unserialize_hmac	219	unserialize_hmac
206	^^^^^^^^^^^^^^^^	220	^^^^^^^^^^^^^^^^
207		221


diff --git a/doc/source/features.rst b/doc/source/features.rst index 25fd62d..60dbbef 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -166,6 +166,8 @@ CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_, `2016-7124
166	<https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773	166	<https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773
167	<https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.	167	<https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.
168		168
		169	A less subtle mitigation can be used to simply prevent the deserialization of objects altogether.
		170
169		171
170	Examples of related vulnerabilities	172	Examples of related vulnerabilities
171	"""""""""""""""""""""""""""""""""""	173	"""""""""""""""""""""""""""""""""""