Send a blank email to [email protected] to get a copy of this message
Hi!
As many probably know, unserialize() has a security issue following from
the fact that you can create objects with data from unserialize(), and
these object may have behavior that is invoked automatically - namely
__destruct - that can result in unintended results. See e.g.
http://heine.familiedeelstra.com/security/unserialize
among others for
more detailed description.
So I propose a modification to unserialize():
https://wiki.php.net/rfc/secure_unserialize
that would make one of the common cases - serializing data to be stored
on user side or user-accessible side - more secure by avoiding
instantiating all object (or all objects not belonging to a whitelist)
and keeping them as incomplete objects instead.
Comments and suggestions welcome,
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227