[ec109685]

This part is concerning:

> Apache's team has been prompt to respond and patch, and nice as hell. Really good experience. PHP never answered regarding the UAF.

[hannob]

FWIW I reported it to PHPs bugtracker: https://bugs.php.net/bug.php?id=77843

I expect that it'll be fixed, not not handled as a security issue, as it doesn't fit within PHPs model of security vulns.

[jimktrains2]

> This looks like it requires specially crafted code, therefore not a security issue.

I'm not sure how I feel about such a response. Many exploits require odd, but valid code, and more often than not it exists out there.

Also, it feels weird for this to be tagged as a JSON issue?

[_ea1k]

Basically they don't consider the engineer exploiting the interpreter to be a security vulnerability. That seems a bit dubious, but I can see where they are coming from in treating the script author as a trusted party.

[Operyl]

That’s been my experience reporting any kind of bug with the PHP core team. It really is a pain in the neck.