Re: Resolution for ver_export()/addslashes() encoding based script execution attack?

From: Date: Wed, 26 Feb 2014 11:52:40 +0000
Subject: Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
References: 1 2 3 4 5 6 7  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi!

> The situation around var_export() is a bit more complicated.
> var_export() is used to create application configuration, cache data
> etc. so one might expect the PHP which created that to be able to read
> that, again. Doing this isn't easy, though, as it makes the generated
> file non-portable. 

Are you suggesting if var_export generates the data it may not be
readable by standard PHP? Or by PHP running with specific
script_encoding like SJIS? If the latter, I think var_export to generate
valid SJIS data is hard to achieve, since SJIS is not ASCII-compatible.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227

Thread (20 messages)

« previous php.internals (#72823) next »