Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118588 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 25262 invoked from network); 8 Sep 2022 17:06:30 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 8 Sep 2022 17:06:30 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 59A051804AA for ; Thu, 8 Sep 2022 10:06:29 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 8 Sep 2022 10:06:28 -0700 (PDT) Received: by mail-yb1-f181.google.com with SMTP id t184so27430002yba.4 for ; Thu, 08 Sep 2022 10:06:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=XB62NTEExpKHwnNJ5KF4H6SLHF86l9n1gMO5WtvEuGo=; b=ZJHni/f0OeRCS9PV3MXIpbs2P9M5QxIvxCzLMdplOjvz9VifRxrr6Tnvez4g9CgY63 Bt/4SAPdlNrABkW3SyxMFsVhOb0MElkS5095+4dxeyNu4FnbFTKYlDaEI1uDuT6WrJQm aopWnJ+fRn0utq9HgyFlv2NkzU0TuU6gUvFboiHeq+bqv0UHt0uIkrcy7BnY6Z3IZsSA TbG2BCP9l9jNbR4ZU7qXWjxRhwJdVuzpIS6NCw4TAWf6kmYbLdU3YcPC6k+JJud3NZNj aLfAyEiPHnHLsPFOrNFhsME2tqNHu/fvqz5GhX870P84jzf/z+Pq0EN0I9DCC3YzqnId 1Y/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=XB62NTEExpKHwnNJ5KF4H6SLHF86l9n1gMO5WtvEuGo=; b=6xTCOTWC9fDmgpKrv3hheNL2x6RG3Y6cWOm/9BMQAtrkqH1+lmvLRruf5pA+fIjAsk A1yw90qNM6A8iyxxNzoaImF6wQYbYJIe8HLKf7ktPGIvdIJzQG5W/66E3KVWS6aApH6W wnpZJq8gf/RQFOvr2ifQqdqjaZc7Y67AYfHePQlDwfziYrnUMlAQsQfW6d5isYMd+uZo 0j6vveLNbjqdUFj+qHfZP5K0vclKr1RHHUNSFpZ54rcvww+QcKytRr6CNOwXPR8oRZcK wI5//9Tlm7dh4ipzmezq6Rd31MGsBUl04sVmdTFqs+TOY4Ieroxx3hym8kcVYBGn6KBS FeLQ== X-Gm-Message-State: ACgBeo0W3+MoaAPK4L7kThT3Uq6rmzoLfPiMF4XoWwYPEiOPYkarGqPt q2uQocHJBPOAq9Ku9+1xXimnDdtNbvJ98s6ydYJLWwvPq58= X-Google-Smtp-Source: AA6agR5ua29S2R4bBtS/rSk1rZAn8cVrv55jExXIquyuT1T2DQT93WlyNeVtCMyadMF+murzZn4Ri0DQJYe6Xv0Ldc8= X-Received: by 2002:a25:9d0d:0:b0:69b:6626:6915 with SMTP id i13-20020a259d0d000000b0069b66266915mr8909081ybp.294.1662656788187; Thu, 08 Sep 2022 10:06:28 -0700 (PDT) MIME-Version: 1.0 References: <530b3a9d-0ee4-6061-8c69-df672d238032@bastelstu.be> In-Reply-To: <530b3a9d-0ee4-6061-8c69-df672d238032@bastelstu.be> Date: Thu, 8 Sep 2022 19:06:16 +0200 Message-ID: To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000003e50d605e82d7304" Subject: Re: [PHP-DEV] RFC [Discussion]: Improve unserialize() error handling From: nicolas.grekas+php@gmail.com (Nicolas Grekas) --0000000000003e50d605e82d7304 Content-Type: text/plain; charset="UTF-8" Hi Tim, Thanks for the RFC. I've now written up an RFC as a follow-up for the "What type of > Exception to use for unserialize() failure?" thread [1]: > > ---- > > RFC: Improve unserialize() error handling > https://wiki.php.net/rfc/improve_unserialize_error_handling > > Proof of concept implementation is in: > > https://github.com/php/php-src/pull/9425 > > Discussion period for that RFC is officially opened up. > > ---- > > The primary point of discussion in the previous mailing list thread and > in the PR comments is whether unserialize() should continue to emit > E_WARNING or whether that should consistently be changed to an > Exception. As of now I plan to explicitly vote on this and the RFC > contains some opinions on that matter. > From what I understand, there are two things in the RFC: 1. a proposal to wrap any throwables thrown during unserialization inside an UnserializationFailedException 2. a discussion to figure out a way to turn these notices+warnings into exceptions. About 1., I read that you think "this is not considered an issue", but to me, changing the kind of exceptions that a piece of code might throw is a non negligible BC break. There needs to be serious justification for it. I tried looking for one, but I'm not convinced there is one: replacing the existing catch(Throwable) by catch(UnserializationFailedException) won't provide much added value to userland, if any. And "reliably include more than just the call unserialize() in the try" is not worth the BC break IMHO. About 2., unserialize() accepts a second argument to give it options. Did you consider adding a 'throw_on_error' option to opt-in into the behavior you're looking for? I think that would be a nice replacement for the current logics based on set_error_handler(). If we want to make PHP 9 throw by default, we could then decide to deprecate *not* passing this option. Lastly I'd like to add a 3. to your proposal, because there is one more thing that makes unserialization annoying: the unserialize_callback_func ini setting. It would be great to be able to pass a 'callback_func' option to unserialize to provide it, instead of calling ini_set() as we have to quite often right now. Would that make sense to you? Kind regards, Nicolas --0000000000003e50d605e82d7304--