Hi Stas, On Wed, Sep 2, 2015 at 7:17 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > There are many fixes regarding unserialize. > We also had many fixes regarding type mismatches. > I suppose many 3rd party modules have same issues. > > How about have a doc for secure PHP internal coding?
I'm writing the draft. I see number of var_push_dtor() to fix unserialization. var_push_dtor() or var_push_dtor_no_addref() is required always when php_var_unserialize() is failed. Am I correct? It will cover - Pointers to general secure programming resources - Basic memory management and debugging (how to use run-tests.php) - Unserialization - Type confusion - Typical overflows If there is anything to add, please let me know. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
