Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100159
Return-Path: <remi@fedoraproject.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64659 invoked from network); 6 Aug 2017 06:56:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Aug 2017 06:56:41 -0000
Authentication-Results: pb1.pair.com smtp.mail=remi@fedoraproject.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=remi@fedoraproject.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain fedoraproject.org from 217.70.183.196 cause and error)
X-PHP-List-Original-Sender: remi@fedoraproject.org
X-Host-Fingerprint: 217.70.183.196 relay4-d.mail.gandi.net  
Received: from [217.70.183.196] ([217.70.183.196:49922] helo=relay4-d.mail.gandi.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 16/21-34801-7ADB6895 for <internals@lists.php.net>; Sun, 06 Aug 2017 02:56:39 -0400
X-Originating-IP: 86.208.181.33
Received: from builder.remirepo.net (LFbn-1-10845-33.w86-208.abo.wanadoo.fr [86.208.181.33])
	(Authenticated sender: contact@ll-experts.com)
	by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id C80F2172098
	for <internals@lists.php.net>; Sun,  6 Aug 2017 08:56:35 +0200 (CEST)
To: internals@lists.php.net
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
Message-ID: <28ba92a1-6554-b91a-5732-6477ad34ac39@fedoraproject.org>
Date: Sun, 6 Aug 2017 08:56:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="4F6aKCxaQPj69SSdIntkA9NTjTc7LMxTk"
Subject: Re: [PHP-DEV] Unserialize security policy
From: remi@fedoraproject.org (Remi Collet)

--4F6aKCxaQPj69SSdIntkA9NTjTc7LMxTk
Content-Type: multipart/mixed; boundary="kcLqjStBTWxxjuAOUFphwLWLWPJDGmqgu";
 protected-headers="v1"
From: Remi Collet <remi@fedoraproject.org>
To: internals@lists.php.net
Message-ID: <28ba92a1-6554-b91a-5732-6477ad34ac39@fedoraproject.org>
Subject: Re: [PHP-DEV] Unserialize security policy
References: <CAF+90c9-irX2gCu_858nQwQ-ARshwbV_8mtNAN-UMBgSvXVp0w@mail.gmail.com>
 <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>
In-Reply-To: <f59a0ba5-228b-88ed-bb99-d296684726c1@gmail.com>

--kcLqjStBTWxxjuAOUFphwLWLWPJDGmqgu
Content-Type: text/plain; charset=utf-8
Content-Language: fr-FR
Content-Transfer-Encoding: quoted-printable

Le 06/08/2017 =C3=A0 00:49, Stanislav Malyshev a =C3=A9crit :
> Hi!
>=20
>> https://bugs.php.net/bug.php?id=3D75006 has been marked as a non-secur=
ity
>> bug, with the justification that unserialize() should not be fed untru=
sted
>> input. While we do document that unserialize() shouldn't be used on
>> untrusted input, we have always treated these as security bugs in the =
past.
>=20
> Not always, but sometimes we did. I think we should stop doing it, as t=
o
> not validate the idea that unserialize can safely be used with untruste=
d
> data=20

+1




--kcLqjStBTWxxjuAOUFphwLWLWPJDGmqgu--

--4F6aKCxaQPj69SSdIntkA9NTjTc7LMxTk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlmGvaMACgkQYUppBSnxahiIaQCdGaqmUT0dhpwzPxGnkrE2wYHR
520AoPm2RdtOOU4j8Q0AOXzLn1c2ZshP
=T8P7
-----END PGP SIGNATURE-----

--4F6aKCxaQPj69SSdIntkA9NTjTc7LMxTk--