Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96700 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25214 invoked from network); 1 Nov 2016 17:55:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Nov 2016 17:55:23 -0000 Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error) X-PHP-List-Original-Sender: anatol.php@belski.net X-Host-Fingerprint: 85.214.73.107 klapt.com Received: from [85.214.73.107] ([85.214.73.107:60383] helo=h1123647.serverkompetenz.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4F/D0-19877-507D8185 for ; Tue, 01 Nov 2016 12:55:19 -0500 Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006) id 3CB9D784AB6; Tue, 1 Nov 2016 18:55:15 +0100 (CET) Received: from w530phpdev (p54A77791.dip0.t-ipconnect.de [84.167.119.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id E29FF784AB4; Tue, 1 Nov 2016 18:55:12 +0100 (CET) To: "'Stanislav Malyshev'" , "'Nikita Popov'" Cc: "'PHP Internals'" , "'Remi Collet'" References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> <017b01d22dfc$cbead8e0$63c08aa0$@belski.net> <1079b404-e133-685f-9a22-ff7444da04f5@gmail.com> <4e2b43b1-71d8-6617-274e-9da8abf4c073@gmail.com> In-Reply-To: <4e2b43b1-71d8-6617-274e-9da8abf4c073@gmail.com> Date: Tue, 1 Nov 2016 18:55:08 +0100 Message-ID: <028f01d23469$1846cfb0$48d46f10$@belski.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGoROuhyhG09wpdFsCUAeRJuSqPfQHhnPwWAUpOsD0CA8TszgDFGCSvoOih+zA= Content-Language: en-us Subject: RE: [PHP-DEV] bug classification discussion From: anatol.php@belski.net ("Anatol Belski") Hi Stas, > -----Original Message----- > From: Stanislav Malyshev [mailto:smalyshev@gmail.com] > Sent: Tuesday, November 1, 2016 6:14 PM > To: Nikita Popov > Cc: Anatol Belski ; PHP Internals > ; Remi Collet > Subject: Re: [PHP-DEV] bug classification discussion >=20 > Hi! >=20 > > I'm also wondering under which category unserialize() issues would > > (usually) fall. I'd assume "low" (because requires documented = insecure > > code + well known class of vulnerabilities). >=20 > I'd say medium. While it's documented that unserializing external = strings is > unsafe, there is code out there that does exactly that. > Especially older code from times before JSON was mainstream. >=20 I can do that. Regards Anatol