From e3a16ae170ceeb7a33c44fd3c3fe862cde122936 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 28 Nov 2017 14:20:49 +0100
Subject: Add some references for `unserialize`, and fix an external link

---
 doc/source/features.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'doc/source')

diff --git a/doc/source/features.rst b/doc/source/features.rst
index 59aeac2..407c0c0 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -118,7 +118,8 @@ Unserialize-related magic
 ^^^^^^^^^^^^^^^^^^^^^^^^^
 
 PHP is able to *serialize* arbitrary objects, to easily store them.
-Unfortunately, it is often possible to gain arbitrary code execution upon deserialization
+Unfortunately, as demonstrated by `Stefan Esser <https://twitter.com/i0n1c>`__ in his `Shocking News in PHP Exploitation <https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf>`__ and `Utilizing Code Reuse/ROP in PHP
+Application Exploits <https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf>`__ slides, it is often possible to gain arbitrary code execution upon deserialization
 of user-supplied serialized objects.
 
   Do not pass untrusted user input to ``unserialize()`` regardless of the options value of allowed_classes.
@@ -306,7 +307,7 @@ helping to uncover vulnerabilities like the classical
 and various other types mismatch.
 
 This feature is largely inspired from the
-`autostrict <https://github.com/krakjoe/autostrict>`_ module from `krakjoe <krakjoe.ninja>`_.
+`autostrict <https://github.com/krakjoe/autostrict>`_ module from `krakjoe <http://krakjoe.ninja>`__.
 
 
 Preventing execution of writable PHP files
-- 
cgit v1.3