Hi,
Stanislav Malyshev wrote:
Hi!
The two main points are:
1. While it's true that if you're using unserialize() on untrusted input
you are most likely going to be vulnerable due to object injection, it may
be quite hard for an attacker to exploit this for closed source
Objects are not the p
Hi!
> The two main points are:
> 1. While it's true that if you're using unserialize() on untrusted input
> you are most likely going to be vulnerable due to object injection, it may
> be quite hard for an attacker to exploit this for closed source
Objects are not the problem (unless it's interna
On 15.08.2017 at 23:56, Christoph M. Becker wrote:
> What about references? Consider, for instance, the following code:
>
>
> $_POST['untrusted_input'] = 'a:1:{i:0;a:1:{i:0;R:2;}}';
>
> function flatten($array)
> {
> if (is_array($array)) {
> $result = [];
On 11.08.2017 at 12:55, Nikita Popov wrote:
> I think it might also be useful to make a distinction based on
> allowed_classes here. I think there is a reasonable expectation that if
> allowed_classes is empty (and as such any object injection vectors are
> excluded), unserialize() should be safe.
On Fri, Aug 11, 2017 at 12:55 PM, Nikita Popov wrote:
> On Thu, Aug 10, 2017 at 10:49 AM, Nikita Popov
> wrote:
>
>> On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev
>> wrote:
>>
>>> Hi!
>>>
>>> > https://bugs.php.net/bug.php?id=75006 has been marked as a
>>> non-security
>>> > bug, with the
On Thu, Aug 10, 2017 at 10:49 AM, Nikita Popov wrote:
> On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev
> wrote:
>
>> Hi!
>>
>> > https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
>> > bug, with the justification that unserialize() should not be fed
>> untrusted
>> > in
On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev
wrote:
> Hi!
>
> > https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
> > bug, with the justification that unserialize() should not be fed
> untrusted
> > input. While we do document that unserialize() shouldn't be used on
>
Le 06/08/2017 à 00:49, Stanislav Malyshev a écrit :
> Hi!
>
>> https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
>> bug, with the justification that unserialize() should not be fed untrusted
>> input. While we do document that unserialize() shouldn't be used on
>> untrusted i
Hi!
> https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
> bug, with the justification that unserialize() should not be fed untrusted
> input. While we do document that unserialize() shouldn't be used on
> untrusted input, we have always treated these as security bugs in the p
> On 2 Aug 2017, at 23:03, Nikita Popov wrote:
>
> Hi,
>
> https://bugs.php.net/bug.php?id=75006 has been marked as a non-security
> bug, with the justification that unserialize() should not be fed untrusted
> input. While we do document that unserialize() shouldn't be used on
> untrusted input
10 matches
Mail list logo
