Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117142 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 61692 invoked from network); 26 Feb 2022 14:15:22 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Feb 2022 14:15:22 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0FD1C1804D9 for ; Sat, 26 Feb 2022 07:35:52 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 26 Feb 2022 07:35:48 -0800 (PST) Received: by mail-ej1-f47.google.com with SMTP id qx21so16434167ejb.13 for ; Sat, 26 Feb 2022 07:35:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=8/r8TsHY0sVXFlLGpiZ32XfF4X7gBsOG3JN7rumo1qE=; b=h8PEKdkkKkbWVUFrwjiOEaEwDXhOxpmckOP5ewRmPzxS4EZYTH2Nnc8QOOKc3iksRq fpl2u8yQ6wCcZJDPvYB++MaUY5vNr8k3h2YKrHmJ0cGEaHDMeM7IMtYTqgaAqtmB4Z4h oUOzJBAAO4fjlMnAf6GBAnCmeqvbh0KYUtq4bspngkr8qvDqk9mv0Rsyew6b1HRtCC7W 2u0aNXWfUvs29x3aoMCUrNGpHGQ8n21CKF5Je0dAbD7k0jQC/X2gQpfpppl/UWZU0Rre +QjHu77CC+SdC2TIK6Qk3GV8opGztEznV0/3S4kjC/pWRRrthHhES+WtU2d0nhubO+oQ Qx9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=8/r8TsHY0sVXFlLGpiZ32XfF4X7gBsOG3JN7rumo1qE=; b=MfSstsrYB11rcwJCPNI4T/9m5oD6yP5ybPFuh2pMlt4au2RtdRu6U4yS1IroRpH7KB 7CtKLrcm6ztXdQK2PKSOh6JinpPAwZMdK0VT4lTPdDajqYSNlEAyCP1PT1yhohlrS89b tv3e165gqDSv2zxb8BxTuy71KdVUNubUwEJsNQYJvpPVH3BJ40cVdXrBVWo7jqSV0WDy dHs2UJqkCaQxKXHLM2Q8qJR6TTTmvYqfAaeMI3XLRjQhlfNC2b7zG7QszyJ97TGupM94 EKmbBgeA71aaZwSqnGOaITxmI5lVzS4QEPX/w4gYvsjCCfMDNRknwBF/uEP4fNqIb8k+ B6tQ== X-Gm-Message-State: AOAM531XUciR+nwoiHV+fETStc+NUTjZ+saR8GG1Di2h/yWon79fvGCi +k+bXwFGWMntCPNTgiLdQm33vayCFnk= X-Google-Smtp-Source: ABdhPJyw5RkJfDh1a+QH1v4vjqXWIPOMBYvD74AjpkhLM4/9ESk/ssN5tLeupJLTsmYSws+wjQnydA== X-Received: by 2002:a17:906:1158:b0:6d0:562b:d8ee with SMTP id i24-20020a170906115800b006d0562bd8eemr9972324eja.78.1645889747252; Sat, 26 Feb 2022 07:35:47 -0800 (PST) Received: from smtpclient.apple (62.237.197.178.dynamic.wless.lssmb00p-cgnat.res.cust.swisscom.ch. [178.197.237.62]) by smtp.gmail.com with ESMTPSA id kv6-20020a17090778c600b006d1b01ee4cdsm2327967ejc.3.2022.02.26.07.35.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Feb 2022 07:35:46 -0800 (PST) Message-ID: <0F27748B-A04C-402B-B77F-8343E6D280E1@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_5682C9D2-22F4-4535-8005-368C0592EDEB" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Sat, 26 Feb 2022 16:35:44 +0100 In-Reply-To: Cc: PHP internals To: =?utf-8?Q?=22Tim_D=C3=BCsterhus=2C_WoltLab_GmbH=22?= References: X-Mailer: Apple Mail (2.3693.60.0.1.1) Subject: Re: [PHP-DEV] SensitiveParameterValue serialization behavior From: claude.pache@gmail.com (Claude Pache) --Apple-Mail=_5682C9D2-22F4-4535-8005-368C0592EDEB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 >=20 > 1. Disallow both serialization and unserialization. >=20 > This will make the serialization issue very obvious, but will require = adjustments to exception handlers that serialize the stack traces. Hi, Note that exception handlers that serialise stack traces without taking = into account that the operation may fail, are already broken as of = today, because common unserialisable objects, such as Closure instances = (anonymous functions), may appear in stack traces. https://3v4l.org/tv1s1 https://3v4l.org/PGKnl Making SensitiveParameterValue fail on serialisation won=E2=80=99t break = those handlers, but make their existing brokenness apparent in more = cases (which is a good thing). =E2=80=94Claude --Apple-Mail=_5682C9D2-22F4-4535-8005-368C0592EDEB--