@robocoder opened this Issue on December 18th 2010 Contributor

Written in PHP, these compatibility functions differ from the built-ins in one respect: they don't serialize/unserialize objects.

We currently sign and apply a blacklist on cookies, so this doesn't add any security value there.

But PhpSecInfo has a test that unserializes content from php.net.

@robocoder commented on December 18th 2010 Contributor

(In [3460]) fixes #1900 - use safe_unserialize() for third-party content; for signed cookies, replace serialize/unserialize with more compact, json_encode()/json_decode()

@mattab commented on December 22nd 2010 Member

(In [3507]) Fixing broken tracking, json_decode returning objects but code is using the data as array Refs #1900

@robocoder commented on December 22nd 2010 Contributor

(In [3508]) refs #1900, fixes #1911

This Issue was closed on December 22nd 2010
Powered by GitHub Issue Mirror