We've been considering (at https://phabricator.wikimedia.org/T169328 etc.) how to protect MediaWiki from potential escalation from memcached access to arbitrary execution. The issue is that if an attacker can access memcached, they could write a value which, when unserialized, causes execution of arbitrary code in __wakeup() or another magic method. This depends on there being a vulnerable class, but the attack surface is very large.
OPT_SERIALIZER is not sufficient at present since the PHP client will always call php_var_unserialize() if the memcached server specifies the relevant flag.
Migrating MediaWiki to JSON serialization would be a lengthy undertaking, and would warrant some complexity in migration support. One possibility would be to have an option which specifies a userspace unserializer, e.g.
The userspace function would be called with val_type and payload, and would be expected to return the unserialized value, replacing the default handling in s_unserialize_value(), for example:
In the long term and for non-MediaWiki users, a more convenient alternative could be e.g. OPT_SECURE_UNSERIALIZE, a boolean option which when true would disable all branches of s_unserialize_value() which may lead to arbitrary code execution.
We've been considering (at https://phabricator.wikimedia.org/T169328 etc.) how to protect MediaWiki from potential escalation from memcached access to arbitrary execution. The issue is that if an attacker can access memcached, they could write a value which, when unserialized, causes execution of arbitrary code in __wakeup() or another magic method. This depends on there being a vulnerable class, but the attack surface is very large.
OPT_SERIALIZER is not sufficient at present since the PHP client will always call php_var_unserialize() if the memcached server specifies the relevant flag.
Migrating MediaWiki to JSON serialization would be a lengthy undertaking, and would warrant some complexity in migration support. One possibility would be to have an option which specifies a userspace unserializer, e.g.
The userspace function would be called with val_type and payload, and would be expected to return the unserialized value, replacing the default handling in s_unserialize_value(), for example:
In the long term and for non-MediaWiki users, a more convenient alternative could be e.g. OPT_SECURE_UNSERIALIZE, a boolean option which when true would disable all branches of s_unserialize_value() which may lead to arbitrary code execution.