Stas,
The fact is that people do use serialize() for data that may be > accessible by the user (or made accessible by unrelated security issues, > which may be upgraded in severity by this - e.g. from SQL injection to > persistent code backdoor on the server). There are many ways to do > things differently, and they are known. However, as I said, the fact is > people do use serialize() and may not even realize the data aren't as > secure as they are. That's why many security tools flag any object with > dtor in application using unserialize as insecure. This is not a good > situation, and presently there are no way to avoid it except dropping > serialize() completely - which may not be an option is some cases and in > any case would require serious changes to the production code. > > This enhancement is to fix this problem. It is not to change best > practices or give advice on how to write the most secure system - it is > to make existing code more secure easily. I definitely see your point, and don't disagree with it at all. Again, my concern is that people will then be tempted to use serialization to the client as it's "safe" (with these modifications). Which I think we should discourage for new code.... So what if we did this: We implement your RFC, but also put a warning in the docs that serialize() shouldn't be used in places where a user or third party can modify the output (to use json_encode() for those areas). That way we're not encouraging serialize to be used in places it shouldn't, but also give those with legacy codebases or really awkward use-cases the ability to be "more secure"... Thoughts?
