Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100148 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29943 invoked from network); 2 Aug 2017 21:06:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2017 21:06:00 -0000 Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.18 mout.gmx.net Received: from [212.227.15.18] ([212.227.15.18:57734] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 33/3E-22887-4BE32895 for ; Wed, 02 Aug 2017 17:05:57 -0400 Received: from [192.168.2.123] ([79.243.125.22]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0M0QAP-1dPBNt3KVJ-00ubNK; Wed, 02 Aug 2017 23:05:52 +0200 To: Nikita Popov , PHP internals References: Message-ID: <1773299d-4f3e-b81c-c5c0-41df4c18c9ed@gmx.de> Date: Wed, 2 Aug 2017 23:05:54 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:F15Ud/0+uRUitAr/tmAEnJqNA3Quxe59enyuJnHlwWxds61voEK SPqYonKUXYv1503Bvs3k5cRQEuJIf9Y1Vs1oXFuDZsix+fxr/7iy8w2noczlX7aIfQV+s28 08TLPhq/lACBSHnq+Mv2J+eBefotU2XkKxuChq77ySXF2+ss6lCLpv7wTnXZ7QEwKbrC1R3 owuWMLbk5qOveLzeCjAEg== X-UI-Out-Filterresults: notjunk:1;V01:K0:he81BRu99g4=:ZOI10fqhMVsMpH/3no6m/M epfA4AFbuRJGmNfPotHH3bts3gJiCF95NJNztW9I7/jQcAvgu53fRWrGWGsoraSU9KxEb8oRF 3LuHwL3Ju5TYNy8XeCcPX8k22XHCo5s0bZxfJZaigtQIw+DccNPXRYwMxKtgAc9UWPg+I6lSN 0nF5tr9yQ/UH2bIidMgIUuf1bvuCokNXJI7aXvmne7htricL+JM3H3c6SfyrX5pPH3MxxcqGk zuUQSFr+y4TH/qNbTzqU8RQ7YaBczwEFS5zqFb2dLDJkVqtAFkg84r+ciqLdwRp4aSa/ZOe4b QEBJjeI+wQ1daelvAz1m64BdAV24XPAoqwpR9ROFrGJHk23YrqWbR4Mu/9G29g0glTMB54iw4 B1FECKWXWgN2j3FH9OapzEvUqtkABfnvGAYdSRfIjamGucthSLZ/Q2vhFmktNm0IPl5UqaAlm EfF1t1MP8zY0AiHMvbZB7IoR+a+2/b/lyXdkXF449uPO5utwJ5EXmD2c4o52NRkFvvwgpbXT6 /8wGzP0HSvNwyu2YxJ7AAu+N2dmvV0T93EYaOJmLHk5AUE9iYryStsbyBEuRri6sa5bSd9cQH lUowLIeVk4woXcPsQIc7RqS6cCUz/bILGWNE/xX8GplmK29+cdwgz2dA4tdiGxdNbwVmXeE2t qb412xkONynoixCDa8ub7yXl5e05k9BptRXF6tCGSGzif5IBA1ed2n+ReP39oMMosEZGfLEnD H+1/wYANqseVUwuaE/IKhEwuQnaLdjKYBeB5RzPMKZbheBEC8YT4q0+4d86QPdSsHLzQsDoZz h/OD50fQdNOMbPPxjluSjsnv5klW7en9HmirRyLCIoLit3gTIY= Subject: Re: Unserialize security policy From: cmbecker69@gmx.de ("Christoph M. Becker") On 02.08.2017 at 22:02, Nikita Popov wrote: > https://bugs.php.net/bug.php?id=75006 has been marked as a non-security > bug, with the justification that unserialize() should not be fed untrusted > input. While we do document that unserialize() shouldn't be used on > untrusted input, we have always treated these as security bugs in the past. > > Could somebody please clarify our current security policy with regard to > unserialize? According to the security issue classification[1], it seems to me such issues are correctly classified as "Not a security issue"[2] by virtue of the clause: "requires the use of code or settings known to be insecure" [1] [2] -- Christoph M. Becker