[php-maint] Bug#639230: [php5] README.Debian.security: unclear reference to unserialize() risk
chealer at gmail.com
Thu Aug 25 07:05:25 UTC 2011
> Most specifically, the security team will not provide
> support for flaws in:
> - problems which are not flaws in the design of php but can be problematic
> when used by sloppy developers (for example: not checking the contents
> of a tar file before extracting it, using unserialize() on
> untrusted data, or relying on a specific value of short_open_tag).
It is unclear to me how using unserialize() on untrusted data would
create a particular risk. Do you perhaps mean extract()?
More information about the pkg-php-maint