Update UPGRADING

author: Stanislav Malyshev <stas@php.net> 2020-09-28 21:38:58 -0700
committer: Stanislav Malyshev <stas@php.net> 2020-09-28 21:38:58 -0700
commit: 311922ddbe091afbbf63a344ec7b96e224ecf238 (patch)
tree: 7581a0f211409ef6f9b6505c11bfa97722647291
parent: 6acfb79276809d70bafe91a45267c8a307ca900d (diff)
download: php-git-311922ddbe091afbbf63a344ec7b96e224ecf238.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/UPGRADING b/UPGRADING
index 7944087c43..2e8d358075 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -151,6 +151,11 @@ Reflection:
   . Reflection export to string now uses `int` and `bool` instead of `integer`
     and `boolean`.
 
+- SAPI:
+  . Starting with 7.3.24, incoming cookie names are not url-decoded. This was never 
+    required by the standard, outgoing cookie names aren't encoded and this leads 
+    to security issues (CVE-2020-7070).
+
 SPL:
   . If an SPL autoloader throws an exception, following autoloaders will not be
     executed. Previously all autoloaders were executed and exceptions were
author	Stanislav Malyshev <stas@php.net>	2020-09-28 21:38:58 -0700
committer	Stanislav Malyshev <stas@php.net>	2020-09-28 21:38:58 -0700
commit	311922ddbe091afbbf63a344ec7b96e224ecf238 (patch)
tree	7581a0f211409ef6f9b6505c11bfa97722647291
parent	6acfb79276809d70bafe91a45267c8a307ca900d (diff)
download	php-git-311922ddbe091afbbf63a344ec7b96e224ecf238.tar.gz