imp icon indicating copy to clipboard operation
imp copied to clipboard
verified publisher icon horde

Deserialization of untrusted data

Open xgin opened this issue 4 years ago • 1 comments

I want to resolve ZDI-20-1051 vulnerability (additional details) using json serialization when possible and the list of allowed classes in other cases.

xgin avatar Nov 22 '21 13:11 xgin

The allowed_classes option is added with PHP 7.0, so we can only use this in IMP 7. For IMP 6, we need to find a different solution. Or at least do a version check.

yunosh avatar Jan 12 '22 20:01 yunosh