Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117141
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51555 invoked from network); 26 Feb 2022 10:29:00 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 26 Feb 2022 10:29:00 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 38201180088
	for <internals@lists.php.net>; Sat, 26 Feb 2022 03:49:27 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-vk1-f172.google.com (mail-vk1-f172.google.com [209.85.221.172])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 26 Feb 2022 03:49:26 -0800 (PST)
Received: by mail-vk1-f172.google.com with SMTP id j12so2898325vkr.0
        for <internals@lists.php.net>; Sat, 26 Feb 2022 03:49:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=l7nIeNNYazYRtq3qE0btrZ+dW0TzRaCEohPBgW1smeE=;
        b=1owZHF6CTmhz5Ca/QWEE2YU5VdxTZmO/CMKlYPY/9HDA/0/Y5F2FjZ45rBeMYURGXt
         vv2KOaP3hVNvzZHLX+A88EeA3tGl5eOevBy/gY+l00bGmneRosJ27kCMobq9TgTuAqYc
         +YrOr+Y30y6subZnrwLvaDxn3r3t8LZJtoSdXkBA92AhfjyUChAxefHOpwYFzVCK+Gj1
         /CSIi3aeRtg+qMSzLA7kM6GuejsVkqIJIDJ2gkZlpBS4j6mAIHn4t7yYMrroyS+qyclX
         z/uazlebzPKgvCjZy6VSi10oKK2c05vMXPi6qIb1AdpNacoeG7eyA8bszZSnILOLlX6/
         WV9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=l7nIeNNYazYRtq3qE0btrZ+dW0TzRaCEohPBgW1smeE=;
        b=xdHIYKVJ+5qtwamg2gS27N6dRw03bxaHcx3U3AJ3QJDdJAxKErcF6I1T3booDYVwpr
         1qOg7wiCLzxzxdG8CsiAV26/ZfPq5esiFzLQYz1nCyTxY11oIGMfII42h6LruyTw2W3l
         W/pQPkRVZvfhh3fcnjInaM7muj2+flKWRspk3lmzr+QpmS5eAVpeUdZ2mJaTfCvn6OuG
         ISFJxflwG57CDrnnaDLRbpsCZ5x6NvaEiUTHS7wf92WjiMqNYBxLpo6hN/gzv4J7p1Y3
         sveW4HupR1Hn9B7gf+1zjrC/JXR0EOQMAJL1qUDA7fY3M1hT8uiX0BW2L/Etow33+fuL
         ROIA==
X-Gm-Message-State: AOAM531dj724AQkqziaLzOSkgwOKnID0JmaQTeQi935sZfH4G/v44yOo
	laQ19evhD1hyVe/3Rvib3/c4HS7DyWDyPxlN5w1EPg==
X-Google-Smtp-Source: ABdhPJzvwVbPEnMz66UYr7KqVNVd27LyHFGRIDh1/JwFjE+jDeF7NUMaE42PuFwQoVymG1esxEy0yljz95Qc5bWGwQA=
X-Received: by 2002:a05:6122:1814:b0:330:ed0b:c77d with SMTP id
 ay20-20020a056122181400b00330ed0bc77dmr5344050vkb.16.1645876166036; Sat, 26
 Feb 2022 03:49:26 -0800 (PST)
MIME-Version: 1.0
References: <b9d3740d-7664-44ea-318d-bcb516ad5c87@woltlab.com>
 <CAC5V6ghjiDN4ZOzJaikVrKoGoA3atLu4zL2zodvEHhZ2tW0ZAA@mail.gmail.com> <b682e187-f338-87fd-cfae-a9004d4a9955@woltlab.com>
In-Reply-To: <b682e187-f338-87fd-cfae-a9004d4a9955@woltlab.com>
Date: Sat, 26 Feb 2022 11:49:13 +0000
Message-ID: <CA+kxMuQZreLZvN47nvSF5_CFM5N=_dHvrXyO2XXG5+TWg7kY9Q@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus=2C_WoltLab_GmbH?= <duesterhus@woltlab.com>
Cc: Guilliam Xavier <guilliam.xavier@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] SensitiveParameterValue serialization behavior
From: Danack@basereality.com (Dan Ackroyd)

On Thu, 24 Feb 2022 at 14:11, Tim D=C3=BCsterhus, WoltLab GmbH
<duesterhus@woltlab.com> wrote:
>
> I see two possible options to remediate this issue:
>
> -------
>
> 1. Disallow both serialization and unserialization.
>
> This will make the serialization issue very obvious, but will require
> adjustments to exception handlers that serialize the stack traces.

That sounds the best option. Yes, people who serialize/unserialize
stack traces will need to take into account the new behaviour, but
they will need to do that anyway, and it's better for something to
fail early, when the data is serialized rather than it happen later
when someone goes to use that data. Programs continuing when they have
already failed is Bad=E2=84=A2.

> Allow unserialization, but poison the unserialized object and
> disallow calling ->getValue() on it.

That sounds like something to be instantly added to the list of PHP Sadness=
.

> I theoretically could add an additional public function isPoisoned(): boo=
l as well.

To me, that sounds like a workaround needed by a bad design aka a hack.

Guilliam Xavier wrote:
> to avoid potentially breaking existing code.

Technically, all existing code will continue to run, as no-one is
currently using SensitiveParameter and so that code will continue to
run. When people start using that feature, then yes they will need to
make sure that any stack serializer is aware of the new feature. But
that doesn't sound like a huge problem to me.

In general, I think we should only add surprising and awkward apis
when there is a really strong reason for doing so, not because there
might be a problem. If it's left as unserializable for now, people
would have the opportunity for saying why it needs to be relaxed
later, aka "no is temporary, yes is forever" for features.

cheers
Dan
Ack