Update UPGRADING

author: Stanislav Malyshev <stas@php.net> 2020-09-28 21:39:20 -0700
committer: Derick Rethans <github@derickrethans.nl> 2020-09-29 10:58:49 +0100
commit: e88dcdcdc86852bb5688afec05821a799bd3ad0d (patch)
tree: e09a38af565dde8d60a726323b6d812f5b3c6a52
parent: 5ffcee9d48c4bf9e817d3d2890069004a3685482 (diff)
download: php-git-e88dcdcdc86852bb5688afec05821a799bd3ad0d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/UPGRADING b/UPGRADING
index 3dfaad6d90..40a768d6ba 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -125,6 +125,11 @@ DOM:
         After: ReflectionMethod::getClosure($object = null)
     The new signature is also (LSP) compatible with older PHP versions.
 
+- SAPI:
+  . Starting with 7.4.12, incoming cookie names are not url-decoded. This was never 
+    required by the standard, outgoing cookie names aren't encoded and this leads 
+    to security issues (CVE-2020-7070).
+
 - SPL:
   . Calling get_object_vars() on an ArrayObject instance will now always return
     the properties of the ArrayObject itself (or a subclass). Previously it
author	Stanislav Malyshev <stas@php.net>	2020-09-28 21:39:20 -0700
committer	Derick Rethans <github@derickrethans.nl>	2020-09-29 10:58:49 +0100
commit	e88dcdcdc86852bb5688afec05821a799bd3ad0d (patch)
tree	e09a38af565dde8d60a726323b6d812f5b3c6a52
parent	5ffcee9d48c4bf9e817d3d2890069004a3685482 (diff)
download	php-git-e88dcdcdc86852bb5688afec05821a799bd3ad0d.tar.gz