Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118818 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 96707 invoked from network); 15 Oct 2022 10:49:36 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 15 Oct 2022 10:49:36 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E7D821804A9 for ; Sat, 15 Oct 2022 03:49:35 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,FREEMAIL_REPLY, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 15 Oct 2022 03:49:35 -0700 (PDT) Received: by mail-ej1-f41.google.com with SMTP id 13so15375828ejn.3 for ; Sat, 15 Oct 2022 03:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BXrRMV15ZK5dbglOeeCI2ge/YC2qpT0Kn0k9cZ+Uels=; b=PNQBRlIftbDuDy1p6qbVK9HbWVCnlZj3wQU9Ms394GpT2iWdxEmeak+d89X+YP3Nog hTZRW2YCow5PW0hhtU1H3F7Xv3HY6oC/BLNWk9/ECS0wKIejwIxRWLCVLg4wjVGZC5p7 dTIwVb9pEbURJdmfocUmkRCYpzEXoZ5omCvHKhGDDWs416m4icukdIxffSZaodKXKt3W 0VTP9k4FRSzzngW//Gj4wnfykmTYZiEvR8SyxfXjngWKD2MmzIZM9M+9Vz3bzEqdAE/E xlkdtThGIwjQ7ndT0GFzcxoAdOkjFWw5VjSQNY7FszEteMXksDm0eHJe4o959WRGPemm QNKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BXrRMV15ZK5dbglOeeCI2ge/YC2qpT0Kn0k9cZ+Uels=; b=q9G+wYBUzKAdEWOIKNVFjFiA2mjy6af8K2P1sjTd5l5W2ulHi+XZLZk5HsZdAZKKMD 1Mk0e3YLP0nDEO2j9BVxtpU1SPurrcpRp+2RTG14HfPit/MuDyUQaJgDYaFNpo9mAqa2 ks86lm5PJ2ZOxvdhgILj5cGxp1Zn9pj+b+rgaXzu1pldGS1VPMO5qKe3CqX8RIGc7+bT bRlKVxSjc6XNzHxRrKs96dWwDAbbVepJk8NUhHydqF38nkhg2fxPUXgLJpdT9Mh0lHB2 oIPMdDsiVl9+TkhEYfiXxNlisVT6fZct1uq03e9X3l43Fld/Nk0ppOOIYa7tBhP2++vU fMpg== X-Gm-Message-State: ACrzQf3LNgx/KIwdKbTHh4HLT9yUdmafLw+clSWISYMt/+DsLbYwBG2O 6WG1EXSXhmQb+gfO5z0Dq19XuQ3iNuWSMX13loU= X-Google-Smtp-Source: AMsMyM5gRZEY9KUdbaIbfcP+n3auCwbgggqsgBv7WVbXy6mKfM+g4RIHlHuFcC6nezn35bsnVRaNtLUTmVvSg8meK50= X-Received: by 2002:a17:906:6a08:b0:78d:47f0:b3bc with SMTP id qw8-20020a1709066a0800b0078d47f0b3bcmr1551140ejc.572.1665830973792; Sat, 15 Oct 2022 03:49:33 -0700 (PDT) MIME-Version: 1.0 References: <22177032-fe72-c39b-63fe-fa4368a70852@bastelstu.be> In-Reply-To: Date: Sat, 15 Oct 2022 12:49:21 +0200 Message-ID: To: Nicolas Grekas Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , PHP internals Content-Type: multipart/alternative; boundary="00000000000072e9e005eb107f35" Subject: Re: [PHP-DEV] [VOTE] Improve unserialize() error handling From: ocramius@gmail.com (Marco Pivetta) --00000000000072e9e005eb107f35 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Tbh, this affects a new minor and a new major, and only in an unhappy path scenario, where the current PHP API is bad. PHP 9 will introduce a hard crash: good. It's a BC break: yes, native de-serialization is one of the most unsafe parts of the language, and it requires hardening. The fact that Symfony declared that it already supports PHP 8.3 and PHP 9.0 is your problem, and mostly your misunderstanding of SemVer On Sat, 15 Oct 2022, 11:06 Nicolas Grekas, wrote: > > > Not sure why I didn't think about it before but I just ran the test > suite > > > of Symfony after applying the patch proposed in the RFC to change the > way > > > exceptions are handled by unserialize. > > > > > > This change breaks the test suite of 5 separate components. I created > > this > > > gist to list all the failures: > > > > https://gist.github.com/nicolas-grekas/3da652a51669baa40c99bd20e4a1b4dd > > > > > > Maybe I wasn't convincing enough during the discussion period, but th= at > > > doesn't change the fact that the proposed behavior in the RFC is a ve= ry > > > clear BC break that will affect userland significantly. > > > > > > I'm therefore voting NO on the proposal. > > > > > > > I'm not surprised by the =E2=80=9Cno=E2=80=9D on the first vote based o= n the previous > > discussion. I am surprised however that you also disagree with raising > > the E_NOTICE to E_WARNING for consistency. > > > > I don't plan on repeating all the previous discussion points with you, > > but as you mention the Symfony tests specifically: Please find the patc= h > > attached. Do you believe the expectations in this new test would a > > reasonable expectation by a Symfony user? > > > > Since the beginning my point is not that the RFC doesn't have merits. It'= s > that the proposed approach breaks BC in a way that will affect the > community significantly. We have policies that say we should avoid BC > breaks and they should apply here. > > To anyone wondering about the reality of the BC break if you're not > convinced there is one because the original code is broken anyway (which = is > your main argument Tim IIUC): please have a look at the failures I report= ed > above and wonder about the changes the RFC would impose. I cannot think > about one that would not imply some sort of "if the version of PHP is >= =3D > 8.3 then A, else B". This is the fact that highlights the BC break. > > Nicolas > --00000000000072e9e005eb107f35--