Re: [PHP-DEV] Heads up: merging security patches to 7

Hi Stas, On Thu, Sep 3, 2015 at 1:56 PM, Stanislav Malyshev wrote: >> I see number of var_push_dtor() to fix unserialization. >> var_push_dtor() or var_push_dtor_no_addref() is required always when >> php_var_unserialize() is failed. >> Am I correct? > > Not necessarily.

Re: [PHP-DEV] Heads up: merging security patches to 7

Hi Stas, On Wed, Sep 2, 2015 at 7:17 AM, Yasuo Ohgaki wrote: > There are many fixes regarding unserialize. > We also had many fixes regarding type mismatches. > I suppose many 3rd party modules have same issues. > > How about have a doc for secure PHP internal coding? I'm

Re: [PHP-DEV] Heads up: merging security patches to 7

Hi! > I see number of var_push_dtor() to fix unserialization. > var_push_dtor() or var_push_dtor_no_addref() is required always when > php_var_unserialize() is failed. > Am I correct? Not necessarily. Basically, what happens is that when you do php_var_unserialize() the value you unserialize

[PHP-DEV] Heads up: merging security patches to 7

Hi! I've recently committed a number of fixes to 5.x branch. These fixes mainly concern (un)serialization scenarios, you can see the full list in 5.4/5.5 NEWS. These changes are not merged yet to master/7.0 since due to extensive differences between 5.x and 7 in zval handling, they basically must

Re: [PHP-DEV] Heads up: merging security patches to 7

Hi Stas, There are many fixes regarding unserialize. We also had many fixes regarding type mismatches. I suppose many 3rd party modules have same issues. How about have a doc for secure PHP internal coding? -- Yasuo Ohgaki yohg...@ohgaki.net On Wed, Sep 2, 2015 at 5:55 AM, Stanislav Malyshev