History log of /php-src/ext/standard/tests/serialize/serialization_objects_018.phpt (Results 1 – 1 of 1)
Revision Date Author Comments
# f2e8c5da 12-Jan-2023 Tim Düsterhus

unserialize: Strictly check for `:{` at object start (#10214)

* unserialize: Strictly check for `:{` at object start

* unserialize: Update CVE tests

It's unlikely that the

unserialize: Strictly check for `:{` at object start (#10214)

* unserialize: Strictly check for `:{` at object start

* unserialize: Update CVE tests

It's unlikely that the object syntax error contributed to the actual CVE. The
CVE is rather caused by the incorrect object serialization data of the `C`
format. Add a second string without such a syntax error to ensure that path is
still executed as well to ensure the CVE is absent.

* Fix test expectation in gmp/tests/bug74670.phpt

No changes to the input required, because the test actually is intended to
verify the behavior for a missing `}`, it's just that the report position changed.

* NEWS

* UPGRADING

show more ...