Hi internals, I've created https://wiki.php.net/rfc/phar_stop_autoloading_metadata as mentioned earlier in https://externals.io/message/110856
This aims to add the mitigations described in https://externals.io/message/105271#105291 , which seemed to be the most straightforward approach to avoiding unexpected side effects of unserialization. - For a trusted phar, I wouldn't expect to need to unserialize metadata to check for the file not being corrupt (e.g. there's a checksum, and people would have tested the phar manually). - For an untrusted phar, I'd want php to avoid calling unserialize() when reading it. https://bugs.php.net/bug.php?id=76774 goes into more detail about the security issues this aims to fix. Thanks, - Tyson -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
