Hi internals, I've started the vote on https://wiki.php.net/rfc/phar_stop_autoloading_metadata as announced earlier in https://externals.io/message/110871 ([RFC] Don't automatically unserialize Phar metadata outside getMetadata())
This adds the mitigations described in https://externals.io/message/105271#105291 , which seemed to be the most straightforward approach to avoiding unexpected side effects of unserialization. - For a trusted phar, I wouldn't expect to need to unserialize metadata to check for the file not being corrupt (e.g. there's a checksum, and people would have tested the phar manually). - For an untrusted phar, I'd want php to avoid calling unserialize() when reading it through stream wrappers. https://bugs.php.net/bug.php?id=76774 goes into more detail about the security issues this aims to fix. Thanks, - Tyson -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
