Thanks for the example. Even if it's not frequent I agree that it doesn't cost much to prevent this issue
Pierrick On 1 February 2013 13:04, Stas Malyshev <smalys...@sugarcrm.com> wrote: > Hi! > > > I'm not against it but, just being curious, what are those security > > reasons ? > > If you ever accepted serialized data from outside (say, after putting it > in a cookie or just having API that accepts serialization) and then > forwarded the same data array using cURL, the attacker could create > serialized representation of CURLFile that would make cURL send out a > file on your filesystem, which would be a security breach. Basically the > same security problem as with @, only with serialization involved. It is > not frequent case, but possible. > > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 >
