From 0b8e06a9d57982c7b6a36aad4ea43e90389cc2b2 Mon Sep 17 00:00:00 2001 From: Paul Holden Date: Mon, 27 Nov 2023 23:47:45 +0000 Subject: [PATCH] Add unserialize() method to danger list. Can lead to code execution exploits if not used properly with user supplied data. There are better methods of data exchange. --- general/development/policies/codingstyle/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/general/development/policies/codingstyle/index.md b/general/development/policies/codingstyle/index.md index 86be630339..91af2e869a 100644 --- a/general/development/policies/codingstyle/index.md +++ b/general/development/policies/codingstyle/index.md @@ -2073,6 +2073,7 @@ PHP includes multiple questionable features that are highly discouraged because 1. do not use `preg_replace()` with /e modifier - use callbacks in order to prevent unintended PHP execution. 1. do not use backticks for shell command execution. 1. do not use `goto`, neither the operator neither labels - use other programming techniques to control the execution flow. +1. do not use `unserialize`, can lead to unintended PHP execution if not used properly with user supplied data - there are better methods of data exchange. ## Policy about coding-style only fixes