Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:111134 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 59863 invoked from network); 22 Jul 2020 18:30:34 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jul 2020 18:30:34 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B1265180509 for ; Wed, 22 Jul 2020 10:25:02 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12olkn2041.outbound.protection.outlook.com [40.92.21.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 22 Jul 2020 10:25:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NOJkf3r/Zrpg7rCYiW7rEcol49l2eptOw/K975+W6bo9caCbGIoKIbWD/Pvxsvxq4Le/K320LQ5EpBJxos708NfmYVP+A0V6SDOJ87fRMbhyzfAcZzmc4Kulok+0WZIIdhCDVDxRnQNYWbEm7oonLkrfYRIRiL67zIkpSVe/LejdLG0jMpJjAyLydNkn3OXr2rCchDd/xcK0b3iSxRRGUV19J4J0ASWNd+KTfvFfjsJ8NjvfpfCC3zw5qpoy6StOC9rGuI/Wgkd+DgP7tTAgbRKDGHINwLKWGpDc75au3j6iuBnPOLXNtatZ2wEC7F8rMmE/gEPjm/jnUyIClWiVEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LbemCTs76DHbT5T7Wb56SAIh5fvsVQgadmdTWfAdHD8=; b=khJfBpUmaD267YzUZpwDRZlvcRTwmr+vxvz3lYOZA6g87xPBTP8tkxJyu1F1I92Gla/fV5VchUV33AT2nfz0xjvYfXESJ8BgwaUNkBoF2C2fLFQ8ZcTHh+Ga6RsTQNFPrauDDiZmf4IUD+4nsHvA091o4AvVmm3CtTcwKkW7jQkUFSLaWJK4DQ6Gz9nqXBZ/Xd5HOZNhv6fNvLSrUn52XI7A/EfgXrVroGkvzUWIT3bR6y7Cmquz34DQ/cJYlreb898qew3OSh3903Jrng0h/EEATgedzrXcnV2kU438SlI2TTVOj9npcvBTyFxPUi/zuYdUWakUs30+XC0P/IVc/A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LbemCTs76DHbT5T7Wb56SAIh5fvsVQgadmdTWfAdHD8=; b=PM9vz9DKKnH5V3g9Ra080NT18/svpCdcaJW5/Ufc5/cxM0zGb7A/MRbRAa7SgLACZPM5jlC820DLZBjthfGBTyvNfTJSPn9AqRuHCIsU79cZ7FhflzXqur8TOJa3Q533jWTJpOy7uvOXtqCUUqh8q3Lj3AeIhR5HAEcNpbAnxQDtQYXhEZQLult5tkhNP3ecGGcYlSL29dKrZCEjZ/kRiZaGui8ksxtqt9wAH/ObNfWpFORimzUp8lk+fMoTlyZwA6exnHhGN2U/aV+GOd4O/MBkNcnTxZKdQRj1Ma/xoGw4l97Tap4YAK5mxtiwGI62k9jiZfkCv0EbFCdqA9hIZw== Received: from MW2NAM12FT057.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::4a) by MW2NAM12HT035.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.9; Wed, 22 Jul 2020 17:25:00 +0000 Received: from DM6PR07MB6618.namprd07.prod.outlook.com (2a01:111:e400:fc65::4b) by MW2NAM12FT057.mail.protection.outlook.com (2a01:111:e400:fc65::261) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.9 via Frontend Transport; Wed, 22 Jul 2020 17:25:00 +0000 Received: from DM6PR07MB6618.namprd07.prod.outlook.com ([fe80::cc10:a3e2:1dcf:adc1]) by DM6PR07MB6618.namprd07.prod.outlook.com ([fe80::cc10:a3e2:1dcf:adc1%6]) with mapi id 15.20.3216.023; Wed, 22 Jul 2020 17:25:00 +0000 To: Nikita Popov CC: PHP Internals List Thread-Topic: [PHP-DEV] [VOTE] Don't automatically unserialize Phar metadata outside getMetadata() Thread-Index: AQHWX2NU3679vUvWnEezAEU+ozOr2KkTrM+AgAAsyiU= Date: Wed, 22 Jul 2020 17:25:00 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:43169A24497C3B1F721F70C729027B83D9F04DB45180ECC55ADA593FD1360589;UpperCasedChecksum:EBC5AF32261CB05952322CD5EC5C694C1DB931CC2D9E49DF0EBCA35161804778;SizeAsReceived:7088;Count:45 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [G/KbDkuHPkHNCAa9SQe4hAZ+9nn4jGdl] x-ms-publictraffictype: Email x-incomingheadercount: 45 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 199e93f7-8694-427a-50c1-08d82e6429cb x-ms-traffictypediagnostic: MW2NAM12HT035: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: pmuBpxhMHjXdDVae7sGFTAXQhIYles0bfZnlohWDV6Yut2Ob1Jq2b5I2ziejme2s6Fvrb4S0B3MDZ3UqFy2FKhR4zRPB85Cx7m/Bln79SjSC0MRbJ26DJoNapjFY/d4QPS4K8pNTHLWgeMZfMSKCDLOahpzr/pfWKnwBx7iEaKnCj5LgZtq4lzmEj1eojUBbn+52LYksvd0PGKqW6q8XKCt71QNtKvWbDCJwmNSwQrI+cl8IjP39twQSScKlBo+l x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR07MB6618.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901; x-ms-exchange-antispam-messagedata: Mo4+o1a561dVJ1yai43jsOCGgjLgobMo2+6SCM4TENBFsTa7UFFyHFUaldf5Qoag0It6T8SGAXM0JNQPZj++WmUdqJak+VJQEEh9U5+/kzZ5I80SM3/IkhHYp/fG+4t2GPW2WMUnU8ISPE7wWPF4EQ== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-AuthSource: MW2NAM12FT057.eop-nam12.prod.protection.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 199e93f7-8694-427a-50c1-08d82e6429cb X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 17:25:00.5243 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM12HT035 Subject: Re: [PHP-DEV] [VOTE] Don't automatically unserialize Phar metadata outside getMetadata() From: tysonandre775@hotmail.com (tyson andre) Hi internals,=0A= =0A= > As a minor suggestion:=0A= > =0A= > > Additionally, add an $allowed_classes parameter to both getMetadata() i= mplementations, defaulting to the current behavior of allowing any classes = (true). This will be passed to the call to unserialize() performed internal= ly. =0A= > =0A= > Rather than adding an $allowed_classes parameter, I'd add a general $unse= rialize_options parameter that just gets passed through to unserialize. E.g= . we also have a "max_depth" option, which also seems potentially useful. T= his will ensure that any new limitations we implement for unserialize() wil= l also be available in this context.=0A= =0A= I amended https://wiki.php.net/rfc/phar_stop_autoloading_metadata and chang= ed from version 0.3 to 0.4,=0A= with the behavior I plan to implement. I'll aim to have the implementation = updated by Friday.=0A= =0A= > 0.4: Change from getMetadata($allowed_classes =3D =85) to getMetadata(arr= ay $unserialize_options =3D []) in this document.=0A= > I forgot about max_depth being added in php 8.0 and the usefulness of bei= ng able to support future options added to unserialize()=0A= > without changing the signature of getMetadata.=0A= > Elaborate on implementation details $unserialize_options would lead to wh= en setMetaData is called before=0A= > $pharFileOrEntry->getMetadata(['allowed_classes' =3D> $classes])=0A= =0A= Any other comments/concerns?=0A=