Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78676 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 15304 invoked from network); 4 Nov 2014 20:06:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Nov 2014 20:06:06 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.91 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.91 smtp91.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.91] ([108.166.43.91:42929] helo=smtp91.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 88/12-02095-BA139545 for ; Tue, 04 Nov 2014 15:06:05 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp12.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 5C1203800DA; Tue, 4 Nov 2014 15:06:00 -0500 (EST) X-Virus-Scanned: OK Received: by smtp12.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 01F9F380412; Tue, 4 Nov 2014 15:05:59 -0500 (EST) X-Sender-Id: smalyshev@sugarcrm.com Received: from Stass-MacBook-Pro.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net [108.66.6.48]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:465 (trex/5.3.2); Tue, 04 Nov 2014 20:06:00 GMT Message-ID: <545931A7.9000302@sugarcrm.com> Date: Tue, 04 Nov 2014 12:05:59 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: Nikita Popov CC: PHP Internals References: <5457EF60.1020103@sugarcrm.com> <54591EC3.9080202@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] [VOTE] Filtered unserialize() From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > To clarify: I don't think it makes sense to add an additional security > option, if we cannot say that unserialize() is to our knowledge *fully* That's where we disagree. I think security is a spectrum, and you can make it better. It looks like you think it's binary - either it is *fully* airtight secure, or there's no point even bothering. I think there is a point. > Just looking at your implementation again, it looks like "false" is not > a special value and you actually accept anything, regardless of type. So The RFC is not about specific pull, it's about the design. If there are bugs in the pull, it can be fixed. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/