Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78419 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46525 invoked from network); 28 Oct 2014 13:23:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Oct 2014 13:23:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=remi@fedoraproject.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=remi@fedoraproject.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fedoraproject.org from 217.70.183.198 cause and error) X-PHP-List-Original-Sender: remi@fedoraproject.org X-Host-Fingerprint: 217.70.183.198 relay6-d.mail.gandi.net Received: from [217.70.183.198] ([217.70.183.198:37648] helo=relay6-d.mail.gandi.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 04/03-21571-5C89F445 for ; Tue, 28 Oct 2014 08:23:18 -0500 Received: from mfilter15-d.gandi.net (mfilter15-d.gandi.net [217.70.178.143]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id 7E2E3FB8A1 for ; Tue, 28 Oct 2014 14:23:14 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter15-d.gandi.net Received: from relay6-d.mail.gandi.net ([217.70.183.198]) by mfilter15-d.gandi.net (mfilter15-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id Pkoe+4Of0j9c for ; Tue, 28 Oct 2014 14:23:13 +0100 (CET) X-Originating-IP: 82.241.130.121 Received: from schrodingerscat.famillecollet.com (pom51-2-82-241-130-121.fbx.proxad.net [82.241.130.121]) (Authenticated sender: contact@ll-experts.com) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id EED93FB8D2 for ; Tue, 28 Oct 2014 14:23:12 +0100 (CET) Message-ID: <544F98BF.8000000@fedoraproject.org> Date: Tue, 28 Oct 2014 14:23:11 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: PHP Internals References: <544DFC5F.9020408@sugarcrm.com> In-Reply-To: <544DFC5F.9020408@sugarcrm.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Serialize filtering From: remi@fedoraproject.org (Remi Collet) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 27/10/2014 09:03, Stas Malyshev a =C3=A9crit : > Hi! >=20 > I'd like to have a vote on unserialize() improvement proposal > outlined here: https://wiki.php.net/rfc/secure_unserialize >=20 > soon-ish, but since discussion on it has been more than a year ago > I'd like to give it some prior notice and some time to re-consider. > I still think it is a good improvement, not fixing all problems but > allowing to fix some at reasonable cost. I've added some outline of > arguments discussed before, but still open for comments. The patch > is probably outdated but I'll fix it if it's accepted, if not I > don't want to spend time on it. I'd like to have a vote sometime > next week, but if there's more discussion it can be postponed. >=20 +1 as this seems to have a real benefit for security (implementation detail such as function or option name are... detail) Remi. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlRPmL8ACgkQYUppBSnxahhLrQCePtlnYkVuhSNFPF+pvjZ+DNZX GaoAoLXKHYtbblmT9G0Y/jPRDgUtgABT =3DmE9N -----END PGP SIGNATURE-----