Re: [PHP-DEV] Unserialize security policy

2017-08-15 Thread Stanislav Malyshev
Hi! > The two main points are: > 1. While it's true that if you're using unserialize() on untrusted input > you are most likely going to be vulnerable due to object injection, it may > be quite hard for an attacker to exploit this for closed source Objects are not the problem (unless it's interna

[PHP-DEV] GOOD Benchmark Results for PHP Master 2017-08-14

2017-08-15 Thread lp_benchmark_robot
Results for project PHP master, build date 2017-08-14 19:23:08-07:00 commit: b8f20d7 previous commit:beb9295 revision date: 2017-08-14 21:23:05-04:00 environment:Haswell-EP cpu:Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz 2x18 cores, stepping 2, LLC 45 MB

Re: [PHP-DEV] Unserialize security policy

2017-08-15 Thread Christoph M. Becker
On 15.08.2017 at 23:56, Christoph M. Becker wrote: > What about references? Consider, for instance, the following code: > > > $_POST['untrusted_input'] = 'a:1:{i:0;a:1:{i:0;R:2;}}'; > > function flatten($array) > { > if (is_array($array)) { > $result = [];

Re: [PHP-DEV] Unserialize security policy

2017-08-15 Thread Christoph M. Becker
On 11.08.2017 at 12:55, Nikita Popov wrote: > I think it might also be useful to make a distinction based on > allowed_classes here. I think there is a reasonable expectation that if > allowed_classes is empty (and as such any object injection vectors are > excluded), unserialize() should be safe.

[PHP-DEV] Slow DateTimeZone::getTransitions with no argument

2017-08-15 Thread Andreas Treichel
Hi, Is the first entry in the return value of http://php.net/manual/en/datetimezone.gettransitions.php with the timestamp PHP_INT_MIN / ZEND_LONG_MIN intended? The difference with no arguments is over 100 times slower on 64 bit systems: DateTimeZone::getTransitions() Duration: 0.075577 Date

[PHP-DEV] [RFC] Deprecate class instance deserialization in WDDX

2017-08-15 Thread Christoph M. Becker
Hi internals! Due to the recent discussion regarding WDDX serialization and security (), I've written an RFC that proposes to deprecate class instance deserialization in WDDX:

[PHP-DEV] Re: [PHP-WEBMASTER] Subscribe Function Seems to be down for several days

2017-08-15 Thread Alan Feuerbacher
On 8/3/2017 9:06 AM, Andreas Heigl wrote: Seems like the mailinglist needs some love… again… Cheers Andreas Am 03.08.17 um 17:02 schrieb Alan Feuerbacher: I've been trying for several days to subscribe to a PHP mailing list, but I keep getting the message "We were unable to subscribe you due

[PHP-DEV] Re: GD vs Imagick

2017-08-15 Thread Christoph M. Becker
On 15.08.2017 at 12:52, Rasmus Schultz wrote: > The following GD issue is all-too common: > > https://stackoverflow.com/questions/5773032/how-to-stop-gd2-from-washing-away-the-colors-upon-resizing-images > > Basically anyone who's ever accepted uploaded images and resized or > converted them, ha

Re: [PHP-DEV] GD vs Imagick

2017-08-15 Thread Dan Ackroyd
On 15 August 2017 at 12:11, Kalle Sommer Nielsen wrote: > the maintainer of Imagick, Hey, that's me! > and work together with the maintainer of Imagick, Actually, it would be lovely if anyone contributed to Imagick. I've been the maintainer of the extension for a little over three years and ha

Re: [PHP-DEV] GD vs Imagick

2017-08-15 Thread Derick Rethans
On Tue, 15 Aug 2017, Rasmus Schultz wrote: > The following GD issue is all-too common: > > https://stackoverflow.com/questions/5773032/how-to-stop-gd2-from-washing-away-the-colors-upon-resizing-images > > Basically anyone who's ever accepted uploaded images and resized or > converted them, has b

Re: [PHP-DEV] GD vs Imagick

2017-08-15 Thread Kalle Sommer Nielsen
2017-08-15 12:52 GMT+02:00 Rasmus Schultz Why is the less-capable image library the default on the PHP platform? Why > not Imagick? Most likely because no one have come fourth and attempted to push it into core and have been willing to do all the work required for it. As for GD, I would argue an

[PHP-DEV] GD vs Imagick

2017-08-15 Thread Rasmus Schultz
The following GD issue is all-too common: https://stackoverflow.com/questions/5773032/how-to-stop-gd2-from-washing-away-the-colors-upon-resizing-images Basically anyone who's ever accepted uploaded images and resized or converted them, has bumped into this. Only Imagick makes it possible to work

Re: [PHP-DEV] Unserialize security policy

2017-08-15 Thread Nikita Popov
On Fri, Aug 11, 2017 at 12:55 PM, Nikita Popov wrote: > On Thu, Aug 10, 2017 at 10:49 AM, Nikita Popov > wrote: > >> On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev >> wrote: >> >>> Hi! >>> >>> > https://bugs.php.net/bug.php?id=75006 has been marked as a >>> non-security >>> > bug, with the