Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Noncompliant Code Example

      $data = $_GET["data"];
      $object = unserialize($data);
      // ...
      

      Compliant Solution

      $data = $_GET["data"];
      
      list($hash, $data) = explode('|', $data, 2);
      $hash_confirm = hash_hmac("sha256", $data, "secret-key");
      
      // Confirm that the data integrity is not compromised
      if ($hash === $hash_confirm) {
        $object = unserialize($data);
        // ...
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lars.svensson Lars Svensson (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: