Add some references for `unserialize`, and fix an external link

author: jvoisin 2017-11-28 14:20:49 +0100
committer: jvoisin 2017-11-28 14:20:49 +0100
commit: e3a16ae170ceeb7a33c44fd3c3fe862cde122936 (patch)
tree: bed758a14eedca64bb0c7db180edffbff0a8b5a6
parent: 878ae591ec07751f8224cdf05c6a14141a2d787b (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 59aeac2..407c0c0 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -118,7 +118,8 @@ Unserialize-related magic
 ^^^^^^^^^^^^^^^^^^^^^^^^^
 PHP is able to *serialize* arbitrary objects, to easily store them.
-Unfortunately, it is often possible to gain arbitrary code execution upon deserialization
+Unfortunately, as demonstrated by `Stefan Esser <https://twitter.com/i0n1c>`__ in his `Shocking News in PHP Exploitation <https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf>`__ and `Utilizing Code Reuse/ROP in PHP
+Application Exploits <https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf>`__ slides, it is often possible to gain arbitrary code execution upon deserialization
 of user-supplied serialized objects.
  Do not pass untrusted user input to ``unserialize()`` regardless of the options value of allowed_classes.
@@ -306,7 +307,7 @@ helping to uncover vulnerabilities like the classical
 and various other types mismatch.
 This feature is largely inspired from the
-`autostrict <https://github.com/krakjoe/autostrict>`_ module from `krakjoe <krakjoe.ninja>`_.
+`autostrict <https://github.com/krakjoe/autostrict>`_ module from `krakjoe <http://krakjoe.ninja>`__.
 Preventing execution of writable PHP files
author	jvoisin	2017-11-28 14:20:49 +0100
committer	jvoisin	2017-11-28 14:20:49 +0100
commit	e3a16ae170ceeb7a33c44fd3c3fe862cde122936 (patch)
tree	bed758a14eedca64bb0c7db180edffbff0a8b5a6
parent	878ae591ec07751f8224cdf05c6a14141a2d787b (diff)