subject:"\[PHP\-DEV\] Re\: Fix for unserialise\(\) \"vulnerabilities\""

[PHP-DEV] Re: Fix for unserialise() "vulnerabilities"

2017-10-12 Thread Dmitry Stogov

On Oct 12, 2017 6:01 PM, Nikita Popov wrote: On Thu, Oct 12, 2017 at 4:38 PM, Dmitry Stogov > wrote: Hi, I've found, that at least half of unserialise() security problems, occurs because of non-symmetric serialize/unserialize

[PHP-DEV] Re: Fix for unserialise() "vulnerabilities"

2017-10-12 Thread Nikita Popov

On Thu, Oct 12, 2017 at 4:38 PM, Dmitry Stogov wrote: > Hi, > > > I've found, that at least half of unserialise() security problems, occurs > because of non-symmetric serialize/unserialize assumption, regarding > references encoded with "r". > > > serialize() assumes it's an