Despite providing class whitelisting [1] and documentation about warnings
about security impacts [2], we continue to see vulnerable uses of
unserialize() in Drupal modules [3] and partially effective attempts to
mitigate vulnerabilities from user-supplied, serialized data [4].
Whitelisting legal c
Hi, I'm David Strauss (with wiki username dts). I'm a member of various
Drupal teams, including the security team, and I'd like to create an RFC to
provide additional mitigation options for vulnerabilities related to
unserializing data. I perform other work related to PHP inte
nstances you don't actually want to share across pools anyway.
That's certainly the case. I'll update the RFC.
--
David Strauss
| da...@davidstrauss.net
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
-based services (not discussed in or related to the
RFC) like those in systemd become more widespread, I'd imagine a lot
of applications like nginx, Apache, and PHP-FPM could cede their
internal virtual host/multi-pool models in favor of standardized
provisioning of multiple instances.
--
D
be in the container, something else needs to
listen on its behalf.
Finally, it's a platform consistency issue. As more services move to
socket activation in Fedora and Red Hat, socket units will become a
sort of "common currency" for configuring which services listen where.
--
David S
The full RFC, including initial patches, is here:
https://wiki.php.net/rfc/socketactivation
In short, this allows spawning a PHP-FPM pool on-demand with systemd
initializing the main socket.
--
David Strauss
| da...@davidstrauss.net
--
PHP Internals - PHP Runtime Development Mailing List
Hi!
There is a small problem in cgi_main.c preventing it to be compiled
properly
with some compilers.
WS2tcpip.h will get included into cgi_main.c by following inclusion chain:
cgi_main.c <- php_standard.h <- fsock.h <- php_network.h <- WS2tcpip.h
Since php.h is included several lines before, so