Hi Stas, > -----Original Message----- > From: Stanislav Malyshev [mailto:[email protected]] > Sent: Tuesday, November 1, 2016 6:14 PM > To: Nikita Popov <[email protected]> > Cc: Anatol Belski <[email protected]>; PHP Internals > <[email protected]>; Remi Collet <[email protected]> > Subject: Re: [PHP-DEV] bug classification discussion > > Hi! > > > I'm also wondering under which category unserialize() issues would > > (usually) fall. I'd assume "low" (because requires documented insecure > > code + well known class of vulnerabilities). > > I'd say medium. While it's documented that unserializing external strings is > unsafe, there is code out there that does exactly that. > Especially older code from times before JSON was mainstream. > I can do that.
Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
