Hi!
> Looking into the number of unserialize() related "security" issues, I
> think we should fix all of them once and forever, introducing a
> validation pass.
>
> In case something in provided data is wrong (e.g. duplicated properties
> or array keys, unexpected types, invalid references,
016 8:53:58 PM
To: PHP internals
Subject: [PHP-DEV] [Bug #68319] unserialize() with modified class definition.
https://bugs.php.net/bug.php?id=68319
https://3v4l.org/irnRC
The crux is this:
* Object instance gets serialized with one definition, maybe stored in
DB/file, whatever, the serialized v
https://bugs.php.net/bug.php?id=68319
https://3v4l.org/irnRC
The crux is this:
* Object instance gets serialized with one definition, maybe stored in
DB/file, whatever, the serialized value lives on.
* Class definition changes slightly. In this case, a property changes
visibility.
* Serialized