Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117138 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 5945 invoked from network); 25 Feb 2022 14:25:41 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Feb 2022 14:25:41 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3B8BE180003 for ; Fri, 25 Feb 2022 07:45:53 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS199118 195.10.208.0/24 X-Spam-Virus: No X-Envelope-From: Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [195.10.208.55]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 25 Feb 2022 07:45:52 -0800 (PST) Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4K4vHy6Lptz9sdJ; Fri, 25 Feb 2022 16:45:50 +0100 (CET) Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=woltlab.com; s=MBO0001; t=1645803948; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=InUSUIqfZxstsvYfjJfejfUKntqYAdsjWVMoYaDdDvk=; b=rBt8226wHAWalI0vv6a/F3rNCyUc9A8KiO3Sp4yBZktxGXNRk8dGjPbPC7qNBb8cZ2LxsW L1Ku5doAZ3l1FogSISw5XmnzTVgc3kJ+NKmAYgA8f5ALMudSxD7UgHwvO98oXVTzPIRjwn kuh2B+DpopP32KghDpOb0wDoPG6it9NLMp8RpLxSTJFVBlZ8ZBcVgLHG0yyL0rgOHWD0Xq kvVbp2s+DswU6SEgMjunenkG1lrua6Mh734De764qqi24dQvLKbHAeaHCUJuMi26IGIAph oOnkLB7s8WWNjWtHkJt3hMq+HcQl34QinfBYPMwIGyf2XWTdj1340yaGPvzvpw== Date: Fri, 25 Feb 2022 16:45:43 +0100 MIME-Version: 1.0 Content-Language: en-US To: Guilliam Xavier Cc: PHP internals References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] SensitiveParameterValue serialization behavior From: duesterhus@woltlab.com (=?UTF-8?Q?Tim_D=c3=bcsterhus=2c_WoltLab_GmbH?=) Hi Guilliam, On 2/25/22 13:11, Guilliam Xavier wrote: > I would prefer option 2 (if possible), to avoid potentially breaking > existing code. Sure, that's possible. Otherwise I wouldn't have proposed it :-) The solution for this is simply an additional private property $isPoisoned that is set to true when unserializing. If it is true, ->getValue() will throw an exception. > Calls to ->getValue() will be in new code written specifically for > SensitiveParameterValue anyway, and can be wrapped into try-catch, I think? > Yes, try-catch works. I theoretically could add an additional public function isPoisoned(): bool as well. The user should likely already know whether the SensitiveParameterValue came from unserialized data or not, though. Best regards Tim Düsterhus Developer WoltLab GmbH -- WoltLab GmbH Nedlitzer Str. 27B 14469 Potsdam Tel.: +49 331 96784338 duesterhus@woltlab.com www.woltlab.com Managing director: Marcel Werk AG Potsdam HRB 26795 P