Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:111131
To: Nikita Popov <nikita.ppv@gmail.com>
CC: PHP Internals List <internals@lists.php.net>
Thread-Topic: [PHP-DEV] [VOTE] Don't automatically unserialize Phar metadata
 outside getMetadata()
Thread-Index: AQHWX2NU3679vUvWnEezAEU+ozOr2KkTrM+AgAAlSdk=
Date: Wed, 22 Jul 2020 16:54:43 +0000
Message-ID:
 <DM6PR07MB6618AF2E82BEF55EDB7D9D98F9790@DM6PR07MB6618.namprd07.prod.outlook.com>
References:
 <DM6PR07MB66182B9F1879B64DA95FCFA6F9780@DM6PR07MB6618.namprd07.prod.outlook.com>,<CAF+90c9TSRSu=xkdsqfwzwXj6g=Z1tL_XOvijWV=62VYzqG4-Q@mail.gmail.com>
In-Reply-To:
 <CAF+90c9TSRSu=xkdsqfwzwXj6g=Z1tL_XOvijWV=62VYzqG4-Q@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [YDeSycg6SOR0t+77zLdmAeMi3gow5PzO]
x-ms-publictraffictype: Email
x-incomingheadercount: 45
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: e03bae50-9770-45c4-5471-08d82e5feec2
x-ms-traffictypediagnostic: MW2NAM10HT206:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 DwIyP8N7AdREWejhtu0RZs5gR21dDL98s9MU4CCmhWKrBlxmrPhNvJAY0aEuUygT8k/qeZPteO2qF3PztHBn5wmw0H6J9xdlI5dxNzXLqLVlXcCcFA7DHbgfbrr9Pd38XNfOfysIsQhtx/nq6wkEfXUSNDzypyPQrpBhaj57X+Zac26CinI5rEfFMk//JDgSdC6ygJ7hfUBMpA0xMV9svA==
x-forefront-antispam-report:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR07MB6618.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
x-ms-exchange-antispam-messagedata:
 WZXRawSKv/N9o32/4b94SyZG4CjCQB/DJKhwT2JKVBtTHv98iLcc2gKj9vjP2xbGuD2P5LlUwzjoDktTNHAL9Ybxg/G9pJ8FnUDGMc7t3hAkHyqA0txHbBkg/8l11Tre1zHYr5QCixC52//F+otTQg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: MW2NAM10FT022.eop-nam10.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: e03bae50-9770-45c4-5471-08d82e5feec2
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 16:54:43.4369
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM10HT206
Subject: Re: [PHP-DEV] [VOTE] Don't automatically unserialize Phar metadata
 outside getMetadata()
From: tysonandre775@hotmail.com (tyson andre)

Hi internals,=0A=
=0A=
> As a minor suggestion:=0A=
> =0A=
> > Additionally, add an $allowed_classes parameter to both getMetadata() i=
mplementations, defaulting to the current behavior of allowing any classes =
(true). This will be passed to the call to unserialize() performed internal=
ly. =0A=
> =0A=
> Rather than adding an $allowed_classes parameter, I'd add a general $unse=
rialize_options parameter that just gets passed through to unserialize. E.g=
. we also have a "max_depth" option, which also seems potentially useful. T=
his will ensure that any new limitations we implement for unserialize() wil=
l also be available in this context.=0A=
=0A=
That sounds like a better idea than what I originally had - I'd forgotten a=
bout the max_depth option getting added in php 8.0.=0A=
=0A=
Thanks,=0A=
- Tyson=