Hi! > This issue was discussed in this list before. > As long as PHP calls unserialize for phar metadata, object injection is > possible > which may allow malicious code execution.
Right. That's why I want to make it not unserialize this data unless it's explicitly being requested. > I'm not sure if Phar metadata requires object or not. > If not, Phar may use JSON. Or we may add safer unserialize that ignores > object > and reference for maximum compatibility. That would break BC with all existing phars that use metadata. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php