Page MenuHomePhabricator

Protect against PHP code execution via memcached/unserialize
Open, MediumPublic


The PHP memcached library uses PHP serialization. If an attacker succeeds in placing malicious data in memcached (which does not require authentication), that malicious data will be unserialized when read via the PHP memcached library. unserialize is unsafe for untrusted data. Among other things, it may trigger code execution via the __wakeup method.

We should find a way to prevent the PHP memcached library from unserializing arbitrary data. Perhaps it can be patched to use JSON serialization instead.

This task was factored out of T161647: RFC: Deprecate using php serialization inside MediaWiki.

Event Timeline

daniel created this task.Jun 30 2017, 12:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2017, 12:41 PM
Krinkle updated the task description. (Show Details)Jul 1 2017, 2:02 AM
dpatrick triaged this task as Medium priority.Jul 19 2017, 5:08 PM
dpatrick added a subscriber: tstarling.

This is especially important with T152126 open.

Change 432042 had a related patch set uploaded (by Tim Starling; owner: Tim Starling):
[mediawiki/libs/ScopedCallback@master] Protect against insecure unserialization of ScopedCallback

Change 432042 merged by jenkins-bot:
[mediawiki/libs/ScopedCallback@master] Protect against insecure unserialization of ScopedCallback

Change 661962 had a related patch set uploaded (by Aaron Schulz; owner: Aaron Schulz):
[mediawiki/core@master] objectcache: make ObjectCache log values that are not JSON serializable

Krinkle assigned this task to daniel.Fri, Feb 19, 2:15 AM
Krinkle moved this task from Untriaged to libs/objectcache on the MediaWiki-Cache board.
Krinkle added a project: Platform Engineering.

This should help with the realization of the T161647 plan by PET. I hope it helps / suit as you see fit.