Upgrade to Pro — share decks privately, control downloads, hide ads and more …

知られざるSerialize

Yuichi Sugiyama
PRO
July 31, 2019
Technology
1
340

 知られざるSerialize

Yuichi Sugiyama
PRO

July 31, 2019
Tweet

More Decks by Yuichi Sugiyama

See All by Yuichi Sugiyama
サイボウズ と Garoon と The PHP Foundation と 私 / Cybozu and Garoon and The PHP Foundation and me
oogfranz
PRO
1
240
可能な限り確実にmkdirを成功させるには / Make mkdir
oogfranz
PRO
0
220
サイボウズ #Garoon 開発チームの
「 完成度低いの歓迎LT大会 」 PHPerKaigi出張版 / Low quality LT in PHPerKaigi 2023
oogfranz
PRO
0
280
20年ものの巨大プロダクトをKubernetesに移行している話 後日談/Garoon on Kubernetes after talk
oogfranz
PRO
0
250
20年ものの巨大プロダクトをKubernetesに移行している話/Garoon on Kubernetes
oogfranz
PRO
0
200
PHPアプリケーションだってモニタリングしたい / Monitoring PHP application
oogfranz
PRO
1
400
効果的な静的解析の CI導入パターンを求めて / Great static analysis with CI
oogfranz
PRO
3
3k
Dev-meets-Ops
oogfranz
PRO
1
750
GitHub力の低い僕でも、
OSSコントリビュートできたワケ / GitHub Power
oogfranz
PRO
1
360

Other Decks in Technology

See All in Technology
上流工程に挑戦!「俺の考えた最強サーバレス構成」が一瞬で敗北した件
kentosuzuki
2
120
Swift Package Mangerのバグを直した話
k_koheyi
2
150
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
4.1k
(n=1の)テーブルデータコンペの取り組み方
makotu
2
1.3k
モチベーションサイクルという観点でQAをしよう
mixi_engineers
PRO
1
150
【2023】SWR vs TanStack Query
ytaisei
1
220
self-hosted runnerと actions/cache の噛み合わせが悪かった件 #githubactionsmeetup
whywaita
PRO
1
390
R Not Only in Production
karawoo
0
230
視え方と文字の大きさ
lemon
1
170
Building smarter apps with machine learning, from magic to reality
picardparis
4
3.6k
GraphQLはどんな時に使うか
saboyutaka
20
6.3k
React Suspenseを使って遷移体験を向上させる
kobayang
3
640

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
35
1.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
The Invisible Side of Design
smashingmag
292
49k
The World Runs on Bad Software
bkeepers
PRO
59
6k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
Thoughts on Productivity
jonyablonski
55
3k
Fireside Chat
paigeccino
18
2.2k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k

Transcript

  1. ஌ΒΕ͟ΔSerialize
    @PHP Study
    Cybozu Inc,
    Yuichi Sugiyama

    View Slide

  2. Who am I
    • ਿࢁ ༞Ұ @oogFranz
    • αΠϘ΢ζ5೥໨ΤϯδχΞ
    • େاۀ޲͚άϧʔϓ΢ΣΞ Λ࡞ͬͯΔʢPHP 7.2)
    • ෳۀδϟζϛϡʔδγϟϯ@MASHݭָஂ

    View Slide

  3. serialize(), unserialize()࢖ͬͯ·͔͢ʁ

    View Slide

  4. serialize() όϦϕϯϦ
    $a = ["hoge", 3, true];
    $a[] = &$a;
    echo serialize($a);
    # a:4:{i:0;s:4:"hoge";i:1;i:3;i:2;b:1;i:3;a:4:
    {i:0;s:4:"hoge";i:1;i:3;i:2;b:1;i:3;R:5;}}
    • PHPͷ஋Λ෮ݩՄೳͳจࣈྻʹม׵͢Δɻ
    • ΫϥεͷΠϯελϯεͰ͋ͬͯ΋ม׵Մೳʂ
    • DBʹ΋อଘͰ͖Δʂ΍ͬͨͶʂ

    View Slide

  5. serialize() όϦϕϯϦ
    $a = ["hoge", 3, true];
    $a[] = &$a;
    echo serialize($a);
    # a:4:{i:0;s:4:"hoge";i:1;i:3;i:2;b:1;i:3;a:4:
    {i:0;s:4:"hoge";i:1;i:3;i:2;b:1;i:3;R:5;}}
    • PHPͷ஋Λ෮ݩՄೳͳจࣈྻʹม׵͢Δɻ
    • ΫϥεͷΠϯελϯεͰ͋ͬͯ΋ม׵Մೳʂ
    • DBʹ΋อଘͰ͖Δʂ΍ͬͨͶʂ

    View Slide

  6. Կ͕໰୊ʁ
    • serialize() ʹ͸࣮͸ͦΜͳʹ໰୊͸ͳ͍
    • ٯؔ਺ͷunserialize()ʹ͍͔ͭ͘ͷ੬ऑੑ͕͋Δ

    View Slide

  7. PHP Object Injection ʢPOIʣ
    • ҎԼͷ৚͕݅ຬͨ͞Ε͍ͯΔ৔߹ɺ։ൃऀ͕ҙਤ͍ͯ͠ͳ͍

    ίʔυΛ߈ܸऀ͕࣮ߦͰ͖Δɻ
    • __wakeup(), __destruct()ͳͲͷϚδοΫϝιουʹ

    ෭࡞༻ͷ͋Δίʔυ͕ॻ͔Ε͍ͯΔ
    • unserialize()ͷҾ਺ʹϢʔβʔ͔Βͷೖྗ͕౉͞ΕΔ

    View Slide

  8. ϚδοΫϝιου
    • ಛఆͷ৚݅ͰࣗಈͰൃಈ͢Δຐ๏
    • serialize()ͷ࣮ߦ࣌ʹϚδοΫϝιουͷ __sleep() ͕

    ͋ͬͨΒࣗಈͰ࣮ߦ͞ΕΔ
    • unserialize()࣌ʹɺϚδοΫϝιουͷ __wakeup() ͕

    ͋ͬͨΒࣗಈͰ࣮ߦ͞ΕΔ

    View Slide

  9. αϯϓϧ
    class POIExample{
    private $filename;
    public function __destruct()
    {
    unlink($this->filename);
    }
    }
    unserialize('O:10:"POIExample":1:{s:
    20:"POIExamplefilename";s:8:"test.php";}')

    View Slide

  10. αϯϓϧ
    class POIExample{
    private $filename;
    public function __destruct()
    {
    unlink($this->filename);
    }
    }
    unserialize('O:10:"POIExample":1:{s:
    20:"POIExamplefilename";s:8:"test.php";}')
    ߈ܸऀ͕೚ҙͷϑΝΠϧͷ࡟আ͕Մೳʂ

    View Slide

  11. POIͷ͕͜͜ා͍
    • ࣮ࡍʹunserializeʹ౉͞ΕΔ͜ͱ͕ͳ͍ΫϥεͰ͋ͬͯ΋ɺ

    auto_loadͷ࢓૊Έ͕͋Δͱ࣮ߦ͞Εͯ͠·͏ɻ
    • privateͷϝϯόม਺ʹ΋೚ҙͷ஋Λ୅ೖՄೳ

    setterΛհ͞ͳ͍ͷͰɺߟྀ͕೉͍͠ɻ
    • ԾʹsetterͰσΟϨΫτϦτϥόʔαϧΛ๷͍Ͱ͍ͯ΋ແҙຯ

    View Slide

  12. • json_encode(), json_decode()Λ࢖͏ɻ

    ˠΦϒδΣΫτΛγϦΞϥΠζɾσγϦΞϥΠζ͢ΔͷͰͳ͚Ε͹
    े෼ɻ
    • allowed_classesΦϓγϣϯΛ࢖͏

    ˠࢦఆ͞ΕͨΫϥεͷΦϒδΣΫτʹ͔͠

    ɹม׵͞Εͳ͍͜ͱ͕อূ͞ΕΔ
    POIΛ๷͙ʹ͸ʁ

    View Slide

  13. allowed_classes Φϓγϣϯ
    $serialized_str = 'O:10:"POIExample":1:{s:20:"POIExamplefilename";s:
    8:"test.php";}';
    $result = unserialize($serialized_str, ['allowed_classes' => false]);
    var_dump($result);
    /*
    object(__PHP_Incomplete_Class)#2 (2) {
    ["__PHP_Incomplete_Class_Name"]=>
    string(10) "POIExample"
    ["filename":"POIExample":private]=>
    string(8) "test.php"
    }
    */
    echo serialize($result);
    // O:10:"POIExample":1:{s:20:"POIExamplefilename";s:8:"test.php";}

    View Slide

  14. allowed_classesͰकΕΔ΋ͷ
    • ڐՄ͞Ε͍ͯͳ͍ΫϥεΛunserialize()͢Δͱɺ__PHP_Incomplete_Class
    ʹม׵͞ΕΔ
    • ͦͷΦϒδΣΫτΛ΋͏Ұ౓serialize͢Δͱ

    ʢͳ͔ͥʣݩʹ໭Δɻ
    • σϑΥϧτ஋͸ true (ΨόΨό)ͳͷͰ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δ
    • falseΛࢦఆ͢Ε͹ɺ͋ΒΏΔΫϥεΛڋઈ͢Δ

    View Slide

  15. __PHP_Incomplete_ClassʹͳͬͨΒΤϥʔʹ͍ͨ͠
    • ةͳ͍΋ͷ͕౉͖͍ͬͯͯΔͷͰΤϥʔʹ͍ͨ͠
    • get_class Λͯ͠ɺ__PHP_Incomplete_Class ͔Λௐ΂Δ
    • unserialize_callback_func ͸ݺͼग़͞Εͳ͍ͷͰ஫ҙɻ

    View Slide

  16. allowed_classes͕͋Ε͹unserialize࢖ͬ
    ͯ΋ྑ͍ʁ
    https://twitter.com/nikita_ppv/status/895571304325062656

    View Slide

  17. allowed_classes͕͋Ε͹unserialize࢖ͬ
    ͯ΋ྑ͍ʁ
    https://www.php.net/manual/ja/function.unserialize.php

    View Slide

  18. unserializeͷ੬ऑੑ͸੬ऑੑͱΈͳ͞Εͳ͍
    • ϝϞϦपΓͳͲͷෆ۩߹Ͱ͋ͬͯ΋੬ऑੑͱΈͳ͞Εͳ͍

    Մೳੑ͕͋Δ
    • ΧδϡΞϧʹϝϞϦपΓͷෆ۩߹͕ใࠂ͞Ε͍ͯΔ

    View Slide

  19. serializeͨ͠஋ΛDBʹೖΕΔ͜ͱʹ͍ͭͯ
    • SQL Ξϯνύλʔϯͷ

    5ষ EAVʢΤϯςΟςΟɾΞτϦϏϡʔτɾόϦϡʔʣ

    ʹͳͬͯΔՄೳੑ͕ߴ͍ɻ

    View Slide

  20. MySQLͱserialize
    • MySQLͷtextʹγϦΞϥΠζσʔλΛೖΕ͍ͯΔ৔߹ɺ

    จࣈ਺͕Φʔόʔ͢Δͱɺ్தͰ੾ΒΕͯ͠·͍ɺ

    ෮ݩͰ͖ͳ͘ͳΔɻʢStrict SQL Modeʹґଘʣ
    • MySQL 5.7͔Β͸JSONܕ͕࢖͑ΔΑ͏ʹͳͬͨͷͰɺ

    ಈతεΩʔϚ͕Ͳ͏ͯ͠΋ඞཁͳ৔߹΋JSONܕΛߟ͑ͨํ͕
    Αͦ͞͏ɻ

    View Slide

  21. ·ͱΊ
    • serialize(), unserialize()Λ࢖͍ͬͯͳ͍ͷͳΒɺͦΕ͕Ұ൪
    • ΋͠࢖͍ͬͯΔͷͳΒɺPOIΛ๷͙ͨΊɺϢʔβʔೖྗσʔλ͕ೖͬͯ͜ͳ͍͜ͳ͍͜ͱΛ͔֬Ί
    Α͏
    • ՄೳͰ͋Ε͹json_encode, json_decodeʹஔ͖͔͑Α͏
    • ͦΕ΋ແཧͳΒɺallowed_classesΦϓγϣϯͰPOI͸͠ͷ͝͏
    • DBʹ͸อଘ͠ͳ͍Α͏ʹ͠·͠ΐ͏
    • ϝϞϦपΓͷෆ۩߹΋͋ΔͷͰஔ͖׵͑Λݕ౼͠·͠ΐ͏ɻ

    View Slide