Re: [PHP-DEV] Unserialize security policy

Hi! > The two main points are: > 1. While it's true that if you're using unserialize() on untrusted input > you are most likely going to be vulnerable due to object injection, it may > be quite hard for an attacker to exploit this for closed source Objects are not the problem (unless it's

[PHP-DEV] GOOD Benchmark Results for PHP Master 2017-08-14

Results for project PHP master, build date 2017-08-14 19:23:08-07:00 commit: b8f20d7 previous commit:beb9295 revision date: 2017-08-14 21:23:05-04:00 environment:Haswell-EP cpu:Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz 2x18 cores, stepping 2, LLC 45 MB

Re: [PHP-DEV] Unserialize security policy

On 15.08.2017 at 23:56, Christoph M. Becker wrote: > What about references? Consider, for instance, the following code: > > > $_POST['untrusted_input'] = 'a:1:{i:0;a:1:{i:0;R:2;}}'; > > function flatten($array) > { > if (is_array($array)) { > $result = [];

Re: [PHP-DEV] Unserialize security policy

On 11.08.2017 at 12:55, Nikita Popov wrote: > I think it might also be useful to make a distinction based on > allowed_classes here. I think there is a reasonable expectation that if > allowed_classes is empty (and as such any object injection vectors are > excluded), unserialize() should be

[PHP-DEV] Slow DateTimeZone::getTransitions with no argument

Hi, Is the first entry in the return value of http://php.net/manual/en/datetimezone.gettransitions.php with the timestamp PHP_INT_MIN / ZEND_LONG_MIN intended? The difference with no arguments is over 100 times slower on 64 bit systems: DateTimeZone::getTransitions() Duration: 0.075577

[PHP-DEV] [RFC] Deprecate class instance deserialization in WDDX

Hi internals! Due to the recent discussion regarding WDDX serialization and security (), I've written an RFC that proposes to deprecate class instance deserialization in WDDX:

[PHP-DEV] Re: [PHP-WEBMASTER] Subscribe Function Seems to be down for several days

On 8/3/2017 9:06 AM, Andreas Heigl wrote: Seems like the mailinglist needs some love… again… Cheers Andreas Am 03.08.17 um 17:02 schrieb Alan Feuerbacher: I've been trying for several days to subscribe to a PHP mailing list, but I keep getting the message "We were unable to subscribe you

[PHP-DEV] Re: GD vs Imagick

On 15.08.2017 at 12:52, Rasmus Schultz wrote: > The following GD issue is all-too common: > > https://stackoverflow.com/questions/5773032/how-to-stop-gd2-from-washing-away-the-colors-upon-resizing-images > > Basically anyone who's ever accepted uploaded images and resized or > converted them,

Re: [PHP-DEV] GD vs Imagick

On 15 August 2017 at 12:11, Kalle Sommer Nielsen wrote: > the maintainer of Imagick, Hey, that's me! > and work together with the maintainer of Imagick, Actually, it would be lovely if anyone contributed to Imagick. I've been the maintainer of the extension for a little over

Re: [PHP-DEV] GD vs Imagick

On Tue, 15 Aug 2017, Rasmus Schultz wrote: > The following GD issue is all-too common: > > https://stackoverflow.com/questions/5773032/how-to-stop-gd2-from-washing-away-the-colors-upon-resizing-images > > Basically anyone who's ever accepted uploaded images and resized or > converted them, has

Re: [PHP-DEV] GD vs Imagick

2017-08-15 12:52 GMT+02:00 Rasmus Schultz Why is the less-capable image library the default on the PHP platform? Why > not Imagick? Most likely because no one have come fourth and attempted to push it into core and have been willing to do all the work required for it. As

[PHP-DEV] GD vs Imagick

The following GD issue is all-too common: https://stackoverflow.com/questions/5773032/how-to-stop-gd2-from-washing-away-the-colors-upon-resizing-images Basically anyone who's ever accepted uploaded images and resized or converted them, has bumped into this. Only Imagick makes it possible to

Re: [PHP-DEV] Unserialize security policy

On Fri, Aug 11, 2017 at 12:55 PM, Nikita Popov wrote: > On Thu, Aug 10, 2017 at 10:49 AM, Nikita Popov > wrote: > >> On Sun, Aug 6, 2017 at 12:49 AM, Stanislav Malyshev >> wrote: >> >>> Hi! >>> >>> >