Phar file deserialization in PHP < 8.0
TLDR:
I want to reproduce the RCE from phar file deserialization described in GitHub/advisory/97m3.
I fabricate an html file that includes a malicious svg file in its <img> tag.
Adding debug prints, I make sure I hit file_exists wit… Continue reading Phar file deserialization in PHP < 8.0