Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:78378
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15767 invoked from network); 27 Oct 2014 08:03:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Oct 2014 08:03:48 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.67 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.67 smtp67.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.67] ([108.166.43.67:58616] helo=smtp67.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 82/89-56216-26CFD445 for <internals@lists.php.net>; Mon, 27 Oct 2014 03:03:47 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp1.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id E4DB33801B6
	for <internals@lists.php.net>; Mon, 27 Oct 2014 04:03:43 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp1.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id A7A813801A7
	for <internals@lists.php.net>; Mon, 27 Oct 2014 04:03:43 -0400 (EDT)
X-Sender-Id: smalyshev@sugarcrm.com
Received: from Stass-MacBook-Pro.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net [108.66.6.48])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA)
	by 0.0.0.0:465 (trex/5.3.2);
	Mon, 27 Oct 2014 08:03:43 GMT
Message-ID: <544DFC5F.9020408@sugarcrm.com>
Date: Mon, 27 Oct 2014 01:03:43 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: [RFC] Serialize filtering
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

I'd like to have a vote on unserialize() improvement proposal outlined here:
https://wiki.php.net/rfc/secure_unserialize

soon-ish, but since discussion on it has been more than a year ago I'd
like to give it some prior notice and some time to re-consider. I still
think it is a good improvement, not fixing all problems but allowing to
fix some at reasonable cost. I've added some outline of arguments
discussed before, but still open for comments.  The patch is probably
outdated but I'll fix it if it's accepted, if not I don't want to spend
time on it. I'd like to have a vote sometime next week, but if there's
more discussion it can be postponed.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/