From 807dd17d85e962303e47f62af418e229847d15a8 Mon Sep 17 00:00:00 2001 From: Tyson Andre Date: Tue, 4 Aug 2020 20:31:42 -0400 Subject: [PATCH] [skip ci] Document Phar metadata unserialization change --- NEWS | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 27f853b4fb2dd..a08ddca95b58d 100644 --- a/NEWS +++ b/NEWS @@ -30,6 +30,11 @@ PHP NEWS . Modernized oci_register_taf_callback() callable argument parsing implementation. (girgias) +- Phar: + . Metadata associated with a phar will no longer be automatically unserialized, + to fix potential security vulnerabilities due to object instantiation, autoloading, etc. + RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata (tandre) + 23 Jul 2020, PHP 8.0.0alpha3 - Core: