[PHP-DEV] Re: WDDX serialization and security

On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker wrote: > On 11.08.2017 at 15:15, Nikita Popov wrote: > > > Same question here as with unserialize(). > > https://bugs.php.net/bug.php?id=75007 has recently been classified as > not a > > security bug, because WDDX should not

Re: [PHP-DEV] Re: [Bug] [Discussion] filter_var and reserved IP address range

> 13 авг. 2017 г., в 18:46, Dan Ackroyd написал(а): > >> On 3 August 2017 at 18:08, Andrew Nester wrote: >> >>> On Jun 13, 2017, at 6:03 PM, Andrew Nester wrote: >>> >>> Hello! >>> Currently I am working on bug #74699 (Thanks

Re: [PHP-DEV] Stop Exceptions capturing object references for trace arguments

2017-08-12 17:54 GMT+02:00 Stanislav Malyshev : > Hi! > > > My only concern is if anyone is using this data for anything other than > > debugging - e.g. if they were somehow extracting extra context about the > > exception by traversing the backtrace to a particular point and

Re: [PHP-DEV] Re: WDDX serialization and security

Hi! > IMHO, implementing support for objects has been a most unfortunate > decision, because WDDX was indeed not designed for that > (). Considering > https://bugs.php.net/bug.php?id=75044 makes the situation worse. > Agreed, and it was also

[PHP-DEV] Re: [Request][Discussion] Double value as array key improvement

> 11 авг. 2017 г., в 15:53, Andrew Nester написал(а): > > >> On Aug 11, 2017, at 2:10 PM, Andrew Nester wrote: >> >> Hello everyone! >> >> I was working on following request https://bugs.php.net/bug.php?id=75053 >> which resulted in following pull

[PHP-DEV] Re: [Request][Discussion] Double value as array key improvement

On 13.08.2017 at 20:39, Andrew Nester wrote: > 11 авг. 2017 г., в 15:53, Andrew Nester написал(а): > >> Here is the alternative solution which emits E_WARNING in case of integer >> array index overflow. >> https://github.com/php/php-src/pull/2677 > > My preferred solution is

[PHP-DEV] Re: WDDX serialization and security

On 11.08.2017 at 15:15, Nikita Popov wrote: > Same question here as with unserialize(). > https://bugs.php.net/bug.php?id=75007 has recently been classified as not a > security bug, because WDDX should not be fed untrusted data. > > To provide some context here, our WDDX implementation is

[PHP-DEV] Re: [Request][Discussion] Double value as array key improvement

> 11 авг. 2017 г., в 15:53, Andrew Nester написал(а): > > >> On Aug 11, 2017, at 2:10 PM, Andrew Nester wrote: >> >> Hello everyone! >> >> I was working on following request https://bugs.php.net/bug.php?id=75053 >> which resulted in following pull

Re: [PHP-DEV] Stop Exceptions capturing object references for trace arguments

On 13/08/2017 15:31, Niklas Keller wrote: If it's explicitly needed, someone could still just call `debug_backtrace()` and manually store the args in the exception constructor, no? That depends exactly how it's being used, but yes if you control the throw site or Exception constructor you

Re: [PHP-DEV] Re: [Bug] [Discussion] filter_var and reserved IP address range

On 3 August 2017 at 18:08, Andrew Nester wrote: > >> On Jun 13, 2017, at 6:03 PM, Andrew Nester wrote: >> >> Hello! >> Currently I am working on bug #74699 (Thanks brianlmoon for pointing this >> issue). >> >> Here is some details: >> In patch applied for