On 02.08.2017 at 22:02, Nikita Popov wrote: > https://bugs.php.net/bug.php?id=75006 has been marked as a non-security > bug, with the justification that unserialize() should not be fed untrusted > input. While we do document that unserialize() shouldn't be used on > untrusted input, we have always treated these as security bugs in the past. > > Could somebody please clarify our current security policy with regard to > unserialize?
According to the security issue classification[1], it seems to me such issues are correctly classified as "Not a security issue"[2] by virtue of the clause: "requires the use of code or settings known to be insecure" [1] <https://wiki.php.net/security> [2] <https://wiki.php.net/security#not_a_security_issue> -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
