Potential Object Injection vulnerability

[hoveit]

The Session class uses unserialize in the read method, creating a PHP Object Injection risk if session files are modified (e.g., via insecure permissions). This could enable arbitrary code execution through the use of magic methods.

Probably better to use JSON serialization.

[n0nag0n]

So I see your point that there's a risk of that, however this is the same process that is used internally with php, they use serialize to store the session object as well. The difference between serialize() and json_encode() is exactly what you pointed out, one handles objects and the other does not.

I guess I'm more curious into understanding how session files can be modified via insecure permissions to get that fixed rather than changing it to json_encode() instead. The one thing that comes to mind is if you somehow found a vuln where you can write to files on the server by changing the path. Then you could find all the session files, deserialize them, add a malicious object and then reserialize them again. That however still points to another vuln to fix, not necessarily something wrong with serialize in the lib.

I'm totally open to changing it, just want to understand the problem better.

[n0nag0n]

Added this change. Thanks so much! #7

Updated docs here https://docs.flightphp.com/en/v3/awesome-plugins/session#serialization-modes