Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96698 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20368 invoked from network); 1 Nov 2016 17:13:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Nov 2016 17:13:48 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.170 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.170 mail-pf0-f170.google.com Received: from [209.85.192.170] ([209.85.192.170:35648] helo=mail-pf0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 04/00-19877-B4DC8185 for ; Tue, 01 Nov 2016 12:13:47 -0500 Received: by mail-pf0-f170.google.com with SMTP id i88so4731523pfk.2 for ; Tue, 01 Nov 2016 10:13:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=BcEZ5jX5T/2EOakkkA9VdzQBjVAlUmmALRkq/vPHUbQ=; b=IcCeirRvKdmrAD9XSxFZs8JjlGbgoVoUItCFfw4dq9iAUH0zrJLzt1jW6iJOBLWvaN oawf+PNO7T4f2+Kz1buaK4JkRyQq/OhvSVB5yWIln5Dc2OvmFlhU+EN2/cnpoRnGKlOH WI8dHR39hayU06qpY+7tYviQrRL8cVTH4tSvoCzXUAdMHj07yKq/QZNvBBMwPz8a3BaC Jx+quomwVq+5H4J35pYdfi2pze5HNaFUjiFHEQux4+jKKqIryAtdDCdSdVurA9jFpT2d vuCm/SmGb9g8NDeDVDYB60j37v7l5m0VsujJynR29pFL0SIgTNR7tO8CEAySNXie/NKZ M94Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=BcEZ5jX5T/2EOakkkA9VdzQBjVAlUmmALRkq/vPHUbQ=; b=e3DyMgPB5EhKd3UEJD1yh/wANg19JSipLlFXNqRgta0OMTw7UKrMeyknmn2QyGo3Ep vDFaH1+jcl5zrxACM5lN1NCSgzUsTAtakosSFHlfmm1DHKeqfo5mLRg3G2pj3b+e0rN9 BwQf3UTgWJkIKF1Y20VaBpwPSCY/hHuBz8O2vq9k9Xct9kuhKATwwgTioJgSseZM3aH9 z7CkNPHfnhLlqkdMyfARTLTt7JvtMBFQciEz2bT66OGCE96Ile8C6anVWLE2y6uhg3dA rj+/+bhpzpdBSH/xYfEemOXYT2DHMr4FCcvkoIaFIkNTxTkU56CjTXs4/1bOhHZPJ4NM h/qg== X-Gm-Message-State: ABUngvehFRUP00hMGlYXkO/AUbySmPpzorSV1pYQJ7giJgEXSZt9BP08zir6TF4GseljmQ== X-Received: by 10.99.208.21 with SMTP id z21mr23923894pgf.79.1478020424272; Tue, 01 Nov 2016 10:13:44 -0700 (PDT) Received: from Stas-Air.lan (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id r88sm11372700pfe.93.2016.11.01.10.13.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Nov 2016 10:13:43 -0700 (PDT) To: Nikita Popov References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> <017b01d22dfc$cbead8e0$63c08aa0$@belski.net> <1079b404-e133-685f-9a22-ff7444da04f5@gmail.com> Cc: Anatol Belski , PHP Internals , Remi Collet Message-ID: <4e2b43b1-71d8-6617-274e-9da8abf4c073@gmail.com> Date: Tue, 1 Nov 2016 10:13:42 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] bug classification discussion From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > I'm also wondering under which category unserialize() issues would > (usually) fall. I'd assume "low" (because requires documented insecure > code + well known class of vulnerabilities). I'd say medium. While it's documented that unserializing external strings is unsafe, there is code out there that does exactly that. Especially older code from times before JSON was mainstream. -- Stas Malyshev smalyshev@gmail.com