Andi Gutmans wrote:
At 04:25 AM 1/21/2006, Jared Williams wrote:
What are the security implications of doing this?
Creating objects based on a string from a untrusted source seems not
good idea, unless can prevent tampering (with an HMAC or
something).
Well I think the right thing to do is pass an array of "allowed" classes
into json_decode() and raise an error/exception if it's not in the list.
Maybe we should try to come up with a common approach here for
unserialize() as well?
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
