Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103767 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 98772 invoked from network); 18 Jan 2019 17:54:26 -0000 Received: from unknown (HELO mail-it1-f182.google.com) (209.85.166.182) by pb1.pair.com with SMTP; 18 Jan 2019 17:54:26 -0000 Received: by mail-it1-f182.google.com with SMTP id w18so6945765ite.1 for ; Fri, 18 Jan 2019 06:31:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7+saMPY429J4Yh/d246WU8seajqvLuoeCG3p0QdRyUo=; b=ZchrO6KV/cETxEEjAbr8a/4jOoQZsb/lRqIwmgGp0i6dLUQxMQGR+b+QP/LmqU2dEf neV7edUMzepzOirfHGdWqN8fSVBn/ugF4wA08zo4YkdXxJMAxi7Zcy0T2JCxzBhK3kF0 Kq9EithMuIUiZYi2wtWJiD90bDYNOIR6JTILd7dZkpB7he5DuO039GLdcf+Guc8CZUqs bML9+ZuzQe1284IIflm749L+xJ0FrzFaIu4Zs+12ELIk6VQfUsWNsY3Ty2+efFxlKBJF OuZ/1/3DyL+tHASP6Cq5VAzZIkfXOe0naifcaOR1UFOqQOFfPR71cLXpXrMinHd+1MSj IVfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7+saMPY429J4Yh/d246WU8seajqvLuoeCG3p0QdRyUo=; b=I2s2xTLf6PKjjphr5qCU1l5J7382eeXihkNtYaDZx2n6kL1lu6nu3fGIQZJxeDvVau zveix1T7sKVv6zqXcMY0dFmqAz/wW1digM8sFMc6O9ak9YBAw7hZL7pamI0lB95dIE+3 5opn2mVJ2RzHO3oGwzI2t91UGeQvxuaI8ynyBYNWGyWVNp9FmHS9dwp6hos9UvoOd1TT m7vs7pvGpK+9YG1ZzkB2d75eKLhZ2J6cjXYeW1HT0Qui2whDSyiBNgHetakHXbjR9oXY rkaHJ3Fo+Xbh5MIpcaCvhVCvzINW1qrt7pL7W9HyxNWtKTm9/+Qa8LaoV6+ujit2mIhy z/QA== X-Gm-Message-State: AJcUukcoVHfMWz+ZwgeEz9XiS9V+PB4cjRsS6rKCD0884VMR578UvDQd lS3bAqyL8lDitjRSoUnKo/hKWHfQQwqe4BOxt7c= X-Google-Smtp-Source: ALg8bN6Pq6yDK/lCrsnylFgbXcGMvjs6kdjffpP/tcb95pUBWfXGDqhQNb8d9DgP5GINSSvM1m1jsCA7r+LKGPtaFhY= X-Received: by 2002:a24:dd8d:: with SMTP id t135mr10476037itf.84.1547821864506; Fri, 18 Jan 2019 06:31:04 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 18 Jan 2019 14:30:53 +0000 Message-ID: To: Marco Pivetta Cc: Marcos Passos , internals Content-Type: multipart/alternative; boundary="00000000000068db09057fbc5c8f" Subject: Re: [PHP-DEV] Unserializes, inheritance and allows_classes From: rowan.collins@gmail.com (Rowan Collins) --00000000000068db09057fbc5c8f Content-Type: text/plain; charset="UTF-8" On Fri, 18 Jan 2019 at 01:15, Marco Pivetta wrote: > On Fri, Jan 18, 2019 at 2:13 AM Marcos Passos > wrote: > > But it closes for extension preventing the serialization of instances not > > whitelisted. It may work for @internal or package private classes, but > not > > for public classes. > > > > That is precisely what this is designed for. > > A subclass is a different type, with a world of possible broken things in > it: do not consider the subclass to be the same as a parent class: it's a > logical mistake. > I think it depends on the scenario, and what risks you're trying to protect against. If you are using the whitelist in the core of a CMS, to stop plugins accidentally introducing problematic behaviour, sub-classes should absolutely be blocked; but if you're using it in a closed application to stop users manipulating the *serialized data*, there is no way for a sub-class to be created unless you create it yourself, so limiting to any class in a given hierarchy would be reasonable. However, you can always implement more complex logic by using custom serialization and deserializing with a factory which creates whichever sub-class is appropriate. Although fairly powerful, serialize() / deserialize() are always going to be a bit of a "lowest common denominator", rather than the right tool for every job. Regards, -- Rowan Collins [IMSoP] --00000000000068db09057fbc5c8f--