1
0
mirror of https://github.com/danog/psalm.git synced 2024-11-27 12:55:26 +01:00
psalm/docs/running_psalm/issues/TaintedUnserialize.md

793 B
Raw Blame History

TaintedUnserialize

Tainted input detected to an unserialize call.

Passing untrusted user input to unserialize calls is dangerous from the PHP documentation on unserialize:

Do not pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.

<?php

$command = $_GET["data"];

getObject($command);

function getObject(string $data) : object {
    return unserialize($data);
}