Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100147 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24078 invoked from network); 2 Aug 2017 20:02:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2017 20:02:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.49 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.214.49 mail-it0-f49.google.com Received: from [209.85.214.49] ([209.85.214.49:36211] helo=mail-it0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 16/9D-22887-3EF22895 for ; Wed, 02 Aug 2017 16:02:43 -0400 Received: by mail-it0-f49.google.com with SMTP id 77so29249948itj.1 for ; Wed, 02 Aug 2017 13:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=EDGxj9KfvuTMjL6ENw5uc0Kfeu/V49pSB7aNnMDRK7A=; b=ldq2/h0UAwO/oYVHfB1ohjRS13RFUlJpJ9sH7GgHNndB0PJge1N3lj1AUc/WJ6lhXc te44OKjNmpkzPRXMho4GGPGJq/HQ/iD0Ab9XxdLNp2zt1wbTTmStfdp5Ic01VeU6Qfa7 pGgq3Kvsu7C5/CJsKDXkufSzeTChqO95s2NXRFqtqM6cEiE3kn50hLUhnaiVq0gX+Ldh pGl4d+Ff+7SIjhFXqjZFMnn9sdGGl/0JgnsFC2fnlQOviIE2BWV78nm4zuVD0xN2+sHk 942Gpklu+t7XS35f01lCyvqMtyC+gYRs6o6usU1ZSzfXk1Jfd2V7SDNy1v5lcK0ev1k4 8fIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=EDGxj9KfvuTMjL6ENw5uc0Kfeu/V49pSB7aNnMDRK7A=; b=DJ0SPp960XYLj0cQ1aWrtg21PFVDd/xsYU1rW+XaMav02OYoCb3PeugFaSR5RxMvOc LST3/25mxmxefvvcuQzYw7TWAM0qeBDAYIS/nAgsI7S5OIwZ/c8xV67Py0fJki3fKejY Tb+97nsm89ci5CsY2KgGuMdOaFbOzfV5C2Mo/i/VtbgVebFFHcUX4WImV09YF7LtxkUr zy7ODZc3kX/bUZ0uTfMGaXnZb3mpDoHlidTsf7m+rPTLaIFt00evHa54OP/XihBqH7Z/ Bd/huh3BHKKFamBWBaJNoP9BWRqdFQENLBSUqynSI3x6cJ/k41Wf1mKXkA1/LVBHhkOV QpFA== X-Gm-Message-State: AIVw112YIa45EncKq3pbop3D4vLmeIT03tWrxwWKrqqse+NXW6lKBc6I AUuzedEiXPGLleCf4mCyODxTRUSiSX8W X-Received: by 10.36.120.68 with SMTP id p65mr7418661itc.91.1501704160249; Wed, 02 Aug 2017 13:02:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.33.4 with HTTP; Wed, 2 Aug 2017 13:02:39 -0700 (PDT) Date: Wed, 2 Aug 2017 22:02:39 +0200 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="001a114a9f3c078dbf0555cabfa7" Subject: Unserialize security policy From: nikita.ppv@gmail.com (Nikita Popov) --001a114a9f3c078dbf0555cabfa7 Content-Type: text/plain; charset="UTF-8" Hi, https://bugs.php.net/bug.php?id=75006 has been marked as a non-security bug, with the justification that unserialize() should not be fed untrusted input. While we do document that unserialize() shouldn't be used on untrusted input, we have always treated these as security bugs in the past. Could somebody please clarify our current security policy with regard to unserialize? Thanks, Nikita --001a114a9f3c078dbf0555cabfa7--