Hi, https://bugs.php.net/bug.php?id=75006 has been marked as a non-security bug, with the justification that unserialize() should not be fed untrusted input. While we do document that unserialize() shouldn't be used on untrusted input, we have always treated these as security bugs in the past.
Could somebody please clarify our current security policy with regard to unserialize? Thanks, Nikita
