[php-maint] Bug#639230: Bug#639230: Re: [php5] README.Debian.security: unclear reference to unserialize() risk

Filipus Klutiero chealer at gmail.com
Thu Feb 2 17:43:54 UTC 2012


On 2012-02-02 04:17, Thijs Kinkhorst wrote:
> On Wed, February 1, 2012 00:38, Filipus Klutiero wrote:
>>>>>     when used by sloppy developers (for example: not checking the
>>>>> contents
>>>>>     of a tar file before extracting it, using unserialize() on
>>>>>     untrusted data, or relying on a specific value of short_open_tag).
>> I understand from Thijs's comment that the README is alluding to the
>> built-in unserialize() function:
>> http://ca.php.net/manual/en/function.unserialize.php
>> Assuming that is correct, please consider this report a reminder to
>> clarify.
> Thanks, but given that unserialize is followed by () it should make it
> clear we're referring to a specific function, and the whole document is
> clearly in the context of the PHP interpreter.

It is clear that it refers to a specific function, but it is unclear 
which, it could also refer to Serializable::unserialize().
> Googling for "php
> unserialize" instantly yields the relevant documentation for those who
> want to know more. I prefer to keep this brief so it actually gets read,
> and don't think further clarification is necessary.
>

If we want brevity, I recommend dropping the examples. In fact, from 
what I understand, the entire item should be scrapped.





More information about the pkg-php-maint mailing list