Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103509
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34114 invoked from network); 26 Nov 2018 16:12:49 -0000
Received: from unknown (HELO mail-io1-f54.google.com) (209.85.166.54)
  by pb1.pair.com with SMTP; 26 Nov 2018 16:12:49 -0000
Received: by mail-io1-f54.google.com with SMTP id g8so13772978iop.10
        for <internals@lists.php.net>; Mon, 26 Nov 2018 04:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=XZuI1j1tThIhdb7FuwX6kEJ7cHBnilR2lV6pEWiMR18=;
        b=GfutpKCmnSb99dEnT4JxvGiKcz9MTEbfxuGchd4r14Mr3agL48B56rbVyziUyH7d2H
         7c3ovj/KnaLESyfehInobxG6AdpzYBhLzhWfL7YCjsjezuZ+ipVJJWXbd6UvjmF3DnIs
         bJulRKI9n89/uhRXQ6ql2bAl6B/R6GrEpAe/yrVFElT/eIwswTc7sx0nI6ElAwXD9luC
         EXP6BLJffqiV5OX+ZqVqI9tlsx8DjSWUZPdpwZ3cW0+UyI+pC8XiRi4dgf5h3wAXx9ia
         GkOCWcZHtSyxbZcHU2rT3qHkzC0V3bNBIcs1st85fU+jWN7MsuVDIPijDyIyYREOc19d
         Wkzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=XZuI1j1tThIhdb7FuwX6kEJ7cHBnilR2lV6pEWiMR18=;
        b=AyaxkA9gcw8B9dSzbwF+NuwxMsj/EE4YYhIpb/i8z23GEmM3xi+ngZzogcewImqGkv
         QrMEucRYsgLSgDeaw+tB9+T0ttZ2nJ1oX6LX+VbqPSqpKRBulo3qfQ0//aB6/WKkcn2J
         U/LMUtH7xivEF1LqjXZ6Hn9CgL+9u04Gqh8nctk1WBk0/VWh3BVx99Z/8ZlGRX33cXzu
         VwgoO7iUhBSMWk+nqBMw9WyZ+eJUAzss40XnPkmpWmDIPVCDeMI4Xl4REzT49D9kyBD3
         l2e+jFiJVXy07wYj9tRucTcjPh9FO7PzKcHVZtOs5387yeq7/YV2zFjCWneMakF2VkJQ
         u3gg==
X-Gm-Message-State: AA+aEWZCIq6bMATXKUhE82h1RVNm6YlCBVeBi+n0rfz6icECaMAqF6jl
	4WTR3damR62aw8YOwqbZRqnqBIUGB1YkjZ/FjpI3xw==
X-Google-Smtp-Source: AFSGD/Wg3jP6NCs/rvXGTPd7z7BwxNRQtk6HfWsTc+gEC17LshdnZ2PYxME9BuG+yn/vVCBte6JVPjTBx2sN3UuPC6Q=
X-Received: by 2002:a5e:8d13:: with SMTP id m19mr20667238ioj.258.1543235771718;
 Mon, 26 Nov 2018 04:36:11 -0800 (PST)
MIME-Version: 1.0
References: <a47689bc-33a5-b3c0-d2c0-802809f26b2c@php.net> <CAF+90c-dwAo1wpb-VEmAuTsFNVr6DDMBFuqN2LGzVyS0EDwzrw@mail.gmail.com>
 <589a0733-839b-66aa-600e-db65a8c574dd@php.net>
In-Reply-To: <589a0733-839b-66aa-600e-db65a8c574dd@php.net>
Date: Mon, 26 Nov 2018 13:35:53 +0100
Message-ID: <CAF+90c--xrH=TO4S+_S=1Aq+UJQEjh7_fPGWCix56h_FQziYQg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000fa60c4057b9093d2"
Subject: Re: [PHP-DEV] Built-in classes that cannot be serialized
From: nikita.ppv@gmail.com (Nikita Popov)

--000000000000fa60c4057b9093d2
Content-Type: text/plain; charset="UTF-8"

On Mon, Nov 26, 2018 at 12:27 PM Sebastian Bergmann <sebastian@php.net>
wrote:

> Am 26.11.2018 um 12:20 schrieb Nikita Popov:
> > Apart from serialize_deny, a pretty common pattern is throwing __wakeup.
> > See for example CURLFile.
> >
> > We should migrate such cases to serialize_deny though. I think it's
> pretty
> > weird to explicitly implement __wakeup (signalling that yes, you can be
> > unserialized), and then use it to throw (sorry, I lied).
> >
> > In any case, what's your motivation here? As long as throwing
> > (un)serialize/__sleep/__wakeup exist, you will not be able to determine
> > whether a class can be (un)serialized a priori. It may even be that a
> class
> > can only sometimes be serialized. The only reliable way to find out is to
> > actually try it. What prevents you from attempting (un)serialization and
> > catching potentially thrown exceptions?
>
> If I can rely on classes to throw an exception when serialize() is
> performed (be it through zend_class_serialize_deny or in __sleep())
> then, yes, I can just try it.
>

I believe you can rely on this. Not on any specific exception type, but the
fact that it will throw.


> I, too, think that classes that currently throw in __sleep() should be
> migrated to use zend_class_serialize_deny.
>

I've switched CURLFile, PDO and PDOStatement over to use serialize_deny. I
couldn't find other classes in bundled extensions that were manually
throwing on serialization.


> Only if all classes that cannot be serialized use
> zend_class_serialize_deny then it would make sense to expose that
> information through the Reflection API.
>

We could do that, but I'm not sure how useful it really is. After all, even
if a class can in principle be serialized, it might still have a property
that contains a class that cannot be serialized. Serializability is not a
property of a single class or object, it's a property of the whole object
graph that is being serialized.

Nikita

--000000000000fa60c4057b9093d2--