Download the PHP package xkerman/restricted-unserialize without Composer
On this page you can find all versions of the php package xkerman/restricted-unserialize. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download xkerman/restricted-unserialize
More information about xkerman/restricted-unserialize
Files in xkerman/restricted-unserialize
Package restricted-unserialize
Short Description provide PHP Object Injection safe unserialize function
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package restricted-unserialize
restricted-unserialize
This composer package provides unserialize function that is safe for PHP Obejct Injection (POI).
If normal unserialize function is used for deserializing user input in your PHP application:
- Don't use this package, use
json_decodein order to avoid PHP Object Injection - If compatibility matters, first use this function and then try to use
json_decodein the near future
Why POI-safe?
unserialize function in this package only deserializes boolean, integer, floating point number, string, and array, and not deserializes object instance.
Since any instances that has magic method for POP chain (such as __destruct or __toString) cannot instantiate, any plan to exploit POP chain just fails.
( You can read detailed explanation of POP chain https://www.insomniasec.com/downloads/publications/Practical%20PHP%20Object%20Injection.pdf )
Installation
How to use
if your PHP version > 5.5:
if your PHP version >= 5.3 and <= 5.5:
if your PHP version is 5.2:
Related other packages
mikegarde/unserialize-fix
mikegarde/unserialize-fix package provides \unserialize\fix function that tries to use unserialize function first. So the function is not POI-safe.
academe/serializeparser
academe/serializeparser package privides \Academe\SerializeParser\Parser::parse method that is PHP-implemented unserialize, but doesn't deserialize object instances. So the method seems that POI-safe, but there is no test.
jeroenvdheuve/serialization
jeroenvdheuve/serialization package provides \jvdh\Serialization\Unserializer\unserialize method that is also PHP-implemented unserialize, and doesn't deserialize object instance. So the method seems that POI-safe.
The method can deserialize serialized PHP references, which cannot deserialized by this (xkerman/restricted-unserilize) package. By using PHP reference, we can create cyclic structure, but that makes migration to json_decode harder, since JSON doesn't support cyclic structure decode/encode.
Development
To generate code for PHP 5.2, run composer run generate.
Generated code will be saved under genereated/ directory.
LICENSE
MIT License
