From e88dcdcdc86852bb5688afec05821a799bd3ad0d Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 28 Sep 2020 21:39:20 -0700
Subject: Update UPGRADING

---
 UPGRADING | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/UPGRADING b/UPGRADING
index 3dfaad6d90..40a768d6ba 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -125,6 +125,11 @@ DOM:
         After: ReflectionMethod::getClosure($object = null)
     The new signature is also (LSP) compatible with older PHP versions.
 
+- SAPI:
+  . Starting with 7.4.12, incoming cookie names are not url-decoded. This was never 
+    required by the standard, outgoing cookie names aren't encoded and this leads 
+    to security issues (CVE-2020-7070).
+
 - SPL:
   . Calling get_object_vars() on an ArrayObject instance will now always return
     the properties of the ArrayObject itself (or a subclass). Previously it
-- 
cgit v1.2.1