Hi!

> This issue was discussed in this list before.
> As long as PHP calls unserialize for phar metadata, object injection is
> possible
> which may allow malicious code execution.

Right. That's why I want to make it not unserialize this data unless
it's explicitly being requested.

> I'm not sure if Phar metadata requires object or not.
> If not, Phar may use JSON. Or we may add safer unserialize that ignores
> object
> and reference for maximum compatibility. 

That would break BC with all existing phars that use metadata.
-- 
Stas Malyshev
smalys...@gmail.com

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to