Hi Stas,
On Thu, Sep 3, 2015 at 1:56 PM, Stanislav Malyshev wrote:
>> I see number of var_push_dtor() to fix unserialization.
>> var_push_dtor() or var_push_dtor_no_addref() is required always when
>> php_var_unserialize() is failed.
>> Am I correct?
>
> Not necessarily. Basically, what happens i
Hi!
> I see number of var_push_dtor() to fix unserialization.
> var_push_dtor() or var_push_dtor_no_addref() is required always when
> php_var_unserialize() is failed.
> Am I correct?
Not necessarily. Basically, what happens is that when you do
php_var_unserialize() the value you unserialize gets
Hi Stas,
On Wed, Sep 2, 2015 at 7:17 AM, Yasuo Ohgaki wrote:
> There are many fixes regarding unserialize.
> We also had many fixes regarding type mismatches.
> I suppose many 3rd party modules have same issues.
>
> How about have a doc for secure PHP internal coding?
I'm writing the draft.
I s
Hi Stas,
There are many fixes regarding unserialize.
We also had many fixes regarding type mismatches.
I suppose many 3rd party modules have same issues.
How about have a doc for secure PHP internal coding?
--
Yasuo Ohgaki
yohg...@ohgaki.net
On Wed, Sep 2, 2015 at 5:55 AM, Stanislav Malyshev
Hi!
I've recently committed a number of fixes to 5.x branch. These fixes
mainly concern (un)serialization scenarios, you can see the full list in
5.4/5.5 NEWS. These changes are not merged yet to master/7.0 since due
to extensive differences between 5.x and 7 in zval handling, they
basically must
