Hi! > I'm also wondering under which category unserialize() issues would > (usually) fall. I'd assume "low" (because requires documented insecure > code + well known class of vulnerabilities).
I'd say medium. While it's documented that unserializing external strings is unsafe, there is code out there that does exactly that. Especially older code from times before JSON was mainstream. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
