[php-maint] Bug#639230: Bug#639230: Re: [php5] README.Debian.security: unclear reference to unserialize() risk
chealer at gmail.com
Thu Feb 2 17:43:54 UTC 2012
On 2012-02-02 04:17, Thijs Kinkhorst wrote:
> On Wed, February 1, 2012 00:38, Filipus Klutiero wrote:
>>>>> when used by sloppy developers (for example: not checking the
>>>>> of a tar file before extracting it, using unserialize() on
>>>>> untrusted data, or relying on a specific value of short_open_tag).
>> I understand from Thijs's comment that the README is alluding to the
>> built-in unserialize() function:
>> Assuming that is correct, please consider this report a reminder to
> Thanks, but given that unserialize is followed by () it should make it
> clear we're referring to a specific function, and the whole document is
> clearly in the context of the PHP interpreter.
It is clear that it refers to a specific function, but it is unclear
which, it could also refer to Serializable::unserialize().
> Googling for "php
> unserialize" instantly yields the relevant documentation for those who
> want to know more. I prefer to keep this brief so it actually gets read,
> and don't think further clarification is necessary.
If we want brevity, I recommend dropping the examples. In fact, from
what I understand, the entire item should be scrapped.
More information about the pkg-php-maint