Update UPGRADING

smalyshev · smalyshev · commit 311922ddbe09 · 2020-09-28T21:38:58.000-07:00
diff --git a/UPGRADING b/UPGRADING
@@ -151,6 +151,11 @@ Reflection:
   . Reflection export to string now uses `int` and `bool` instead of `integer`
     and `boolean`.
 
+- SAPI:
+  . Starting with 7.3.24, incoming cookie names are not url-decoded. This was never 
+    required by the standard, outgoing cookie names aren't encoded and this leads 
+    to security issues (CVE-2020-7070).
+
 SPL:
   . If an SPL autoloader throws an exception, following autoloaders will not be
     executed. Previously all autoloaders were executed and exceptions were
