[php-maint] Bug#639230: [php5] README.Debian.security: unclear reference to unserialize() risk
Filipus Klutiero
chealer at gmail.com
Thu Aug 25 07:05:25 UTC 2011
Package: php5
Version: 5.3.8-1
Severity: minor
README.Debian.security contains:
> Most specifically, the security team will not provide
> support for flaws in:
>
> - problems which are not flaws in the design of php but can be problematic
> when used by sloppy developers (for example: not checking the contents
> of a tar file before extracting it, using unserialize() on
> untrusted data, or relying on a specific value of short_open_tag).
It is unclear to me how using unserialize() on untrusted data would
create a particular risk. Do you perhaps mean extract()?
More information about the pkg-php-maint
mailing list