[nycphp-talk] PHP Vulnerability
George Schlossnagle
george at omniti.com
Fri Dec 17 16:34:06 EST 2004
I think in general it's bad policy to blame the victim, even when it's
due to some oversight. Besides, it really is an untenable standard
that people should have to manually deserialize all their data
themselves as a verification before then passing it to PHP. It is
unserialize's job to determine if it's inputs are valid serialized data
or not.
The problem was that you could have something which for all intents
and purposes looked like a duck, quacked like a duck, but wasn't a duck
and a resulted in an unchecked buffer overrun.
George
More information about the talk
mailing list