Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118530
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92726 invoked from network); 27 Aug 2022 13:00:34 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Aug 2022 13:00:34 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B48BE1804AB
	for <internals@lists.php.net>; Sat, 27 Aug 2022 06:00:32 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 27 Aug 2022 06:00:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1661605231;
	bh=pLw6gWCAC2oaKHjGCq9lmMa3YfrfTiwCGytaJuNW+wE=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=goQvwxQ1IkaJ6oZ/IwNRLgrHTXCwQNxp7INvRf1lIOjQxo6oVJK0/+ALkxSUMeXRa
	 M6ILDeJDWv0b/Zn3h8YR1jEzneIqg4ux70FicYH3eCAf8sDRe8Q9pTO/O0A8XX5Oqw
	 YsZ1TG4xf0sTo5EhDLfoIIrLZmQuExIGHhLLGwkmnGDYmzJUQB8hrWCCYPlUYQowAz
	 4n/tpxg5D5kOjGI0kXYKbCY2zH5QpGB4HOPshgiEAfpZQZ84Y4DX0e5Tk8v/vJuqN5
	 HQ13d1ZiW3N5gvkmdFn1Xqhv+tPmiOPKHKGiir2fYB/egTUxCDSu4KIcMgEZt+D44b
	 C3SrkGTFNssSQ==
Message-ID: <65ba0e4b-e84f-1de6-ca8b-b0ff02350022@bastelstu.be>
Date: Sat, 27 Aug 2022 15:00:30 +0200
MIME-Version: 1.0
Content-Language: en-US
To: Rowan Tommins <rowan.collins@gmail.com>, internals@lists.php.net
References: <302000df-5c3f-a86c-a608-2a45d2726ab1@bastelstu.be>
 <CAFPFaMLT0VL+AVnGeRMK2wO+-A_Mf3LCqMKnzqs1iK828GbM9w@mail.gmail.com>
 <86a071f4-41ee-33e0-92cd-2a76d5b480d8@bastelstu.be>
 <F85B94BE-6BBF-41AE-9499-11EB1339487B@gmail.com>
In-Reply-To: <F85B94BE-6BBF-41AE-9499-11EB1339487B@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] What type of Exception to use for unserialize()
 failure?
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 8/27/22 00:17, Rowan Tommins wrote:
>> - I've noticed that 'unserialize()' already emits E_WARNING for some types of error (e.g. out-of-bounds integers), so users already need to be prepared for E_WARNING to be emitted. I've adjusted the aforementioned Notice to Warning, but we might be able to directly jump to UnserializationFailedException from the existing warnings?
> 
> 
> IMHO, any change from Warning or lower to Exception or Error is a clear Breaking Change, because it can make a program that runs successfully under one version abort mid-process in another.

While this is technically correct, I am not sure if there is actually a 
case where a script that is behaving correctly for the current version 
will break (i.e. everything that will break is already subtly broken).

1. If you are unserializing only trusted data from a compatible PHP 
version (compatible PHP version, because the serialization output might 
differ, e.g. for 'C:' and 'O:'), then unserialize() should not fail / 
not emit any notices or warnings.

2. If you are not in the situation of (1), then unserialize() might 
already throw arbitrary Throwables for *some* of the inputs, as the 
implementation of `__unserialize()` or `__wakeup()` might throw:

https://3v4l.org/Fc4dk

Best regards
Tim Düsterhus