[php-maint] Bug#639230: Bug#639230: Re: [php5] README.Debian.security: unclear reference to unserialize() risk

Thijs Kinkhorst thijs at debian.org
Thu Feb 2 09:17:33 UTC 2012

On Wed, February 1, 2012 00:38, Filipus Klutiero wrote:
>>>>    when used by sloppy developers (for example: not checking the
>>>> contents
>>>>    of a tar file before extracting it, using unserialize() on
>>>>    untrusted data, or relying on a specific value of short_open_tag).

> I understand from Thijs's comment that the README is alluding to the
> built-in unserialize() function:
> http://ca.php.net/manual/en/function.unserialize.php
> Assuming that is correct, please consider this report a reminder to
> clarify.

Thanks, but given that unserialize is followed by () it should make it
clear we're referring to a specific function, and the whole document is
clearly in the context of the PHP interpreter. Googling for "php
unserialize" instantly yields the relevant documentation for those who
want to know more. I prefer to keep this brief so it actually gets read,
and don't think further clarification is necessary.


More information about the pkg-php-maint mailing list