DevelArt Ivan Vlk

Anyone to own this and create PR, pls?

@hungtrinh if someone has initiative, I'm not against it :)

@hungtrinh btw, you are right, that we have to be very cautious here, as some changes and new function can potentially override already inherited methods. Therefore I'll make as clear...

Anyone to take a deeper look at this?

Some more details what is this about: https://cwe.mitre.org/data/definitions/502.html Basically we have to sanitize data after unserialization. Recommendations: Phases: Architecture and Design; ImplementationIf available, use the signing/sealing features of the programming...

After brief check, there is shitload of direct usage of unserialize. so have to do this in 2 steps: 1) create internal sanitized unserialize function 2) replace direct userialize PHP...

@Jimbolino I don't think anyone will ever rewrite all the classes to use JSON, that's simply too much. We can rather think about to use internal function as I wrote...

@rruchte I fully agree. And serializing is not the same as storing JSON representation as well. If someone has idea ho to use that recommended _hash_hmac_ method to avoid any...

@rruchte how is this connected to unserialize vulnerability? I'm kind of missing the point completely tbh :)

@rruchte then this is just the first step, as we have like 30 unserialization occurrences.