Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118831
Return-Path: <nicolas.grekas@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55552 invoked from network); 17 Oct 2022 08:57:35 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Oct 2022 08:57:35 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B14DE180044
	for <internals@lists.php.net>; Mon, 17 Oct 2022 01:57:34 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nicolas.grekas@gmail.com>
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 17 Oct 2022 01:57:34 -0700 (PDT)
Received: by mail-wm1-f53.google.com with SMTP id c7-20020a05600c0ac700b003c6cad86f38so12220524wmr.2
        for <internals@lists.php.net>; Mon, 17 Oct 2022 01:57:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=HMo9/EgLxSuQD6ZNjM/cmvtRLvXBBFGA9qQ4+8pgkAE=;
        b=Jwd7Z0KXos5ZQiJjrXk1qZwkQ9wWET48Y7xQ5vP+jYxyIgdtcXMCCpnLvKobVt2L0q
         zvFFdS+rHZTf0qUmlq+OmeCjrznPCWpL+9q5gLUkWio7t+Jhcn7HqMG7NDZLa2MoUZ0C
         h1jQLtVzo72Up/Gkh+d5eF4E+F9Uueu6Nwdc1ZEKN0jVORLoaeD5UI4Qi9fDETTSMmhf
         BhkiVc9GIjFM0msOBI9KaVEZO5lbnbE/8Z9D3mPRaKnLx/WpTY3Ifg+xo+/qMD0syz8Q
         JSM70ZI45R6OiY68zbQCG2fxMSTcNxLJV/AQKe5zdi/Hq1H0bk+qyy9H2ZH7UWgKiHbd
         ogpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HMo9/EgLxSuQD6ZNjM/cmvtRLvXBBFGA9qQ4+8pgkAE=;
        b=HCL7Z7mgu7R/H0pKMKcCzw0gAumtAZ1G0GXyb50KkJyYWmT5GCFmdOyFPF3767lPmy
         l6BNSizKJik5g/vc0USiwUAryqH8QZuD77AFku/C3hRqb17NOosp0GtcXWJomr1srzSa
         aD9QoqaDwdiLIcjapYyve1+NG+R8IUmHhuy+ALJHQeM38hqLqbWzrj6ckvY71IgMiDVW
         bzZ+VDMlF+b0xLA0UuNeHoI2naZyIyhbuPYtYzugUu9aWGb7aH7XbuJ0Wzru0NNI1mLG
         pK/uC/ohG1Qa7dxIvvlK5js9fT5zZgpuazOzA10pCWsq22ICXWf0Q+3U1bvz6Ae8epN5
         hbKw==
X-Gm-Message-State: ACrzQf35HUe+v1xVa2GUnqlRIH3X9xnDg3i7nODj8VYlL7siXkVi9NMF
	kw1W6iSEEJ4+KPIbN8QTEJvhPPHliSWiuL/t8Ro=
X-Google-Smtp-Source: AMsMyM7iVGumjQFRaFOsAdMa3yvAIoO2MNhZxi//gUkGxg/cTsJ++Cxc2k1KXTC/afThR8X9reN00rEI27HSsRHashQ=
X-Received: by 2002:a7b:cd14:0:b0:3c6:bf44:770d with SMTP id
 f20-20020a7bcd14000000b003c6bf44770dmr6598521wmj.35.1665997052601; Mon, 17
 Oct 2022 01:57:32 -0700 (PDT)
MIME-Version: 1.0
References: <22177032-fe72-c39b-63fe-fa4368a70852@bastelstu.be>
 <CAOWwgpmuiRzUwGpU3ShQ7HOAVGhcP=Wb8z50acLfERMn_NEbwQ@mail.gmail.com>
 <c9e61189-7826-844f-56b9-7bb509a0791d@bastelstu.be> <CAOWwgpnpBTx9-aLz-bg1xZ9FT5JyWsX44TLwfvanDS_aAW7qdQ@mail.gmail.com>
 <c69c45f7-9836-1858-d90e-df7042bd3f88@bastelstu.be>
In-Reply-To: <c69c45f7-9836-1858-d90e-df7042bd3f88@bastelstu.be>
Date: Mon, 17 Oct 2022 10:57:21 +0200
Message-ID: <CAOWwgpmZ82zp7apmrwmb+xKOrwJvMuOJ=OMBuZa3n44ZPX5Uwg@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000008470dc05eb372ac7"
Subject: Re: [PHP-DEV] [VOTE] Improve unserialize() error handling
From: nicolas.grekas+php@gmail.com (Nicolas Grekas)

--0000000000008470dc05eb372ac7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Tim,

Thanks for taking the time to have a closer look. Unfortunately, you picked
the one failing test where there could be a discussion about whether the
original code needs improvement or not.

The other failing tests involve "unserialize_callback_func" to gracefully
detect class-not-found, and they are all plain broken by the RFC.

I created this patch/PR to show the changes that would be required on
Symfony to work around the BC break:
https://github.com/symfony/symfony/pull/47882

Note to readers: in this whole discussion, Symfony is just an example of
affected code. In the end, Symfony will adapt to the RFC if it passes. The
point being made is that PHP scripts should not have to be patched to run
on newer minor versions of PHP. That's what "keeping BC" means.


Resending the message without attachments, because the mailing list
> rejected the original due to exceeding 30000 bytes:
>
> > ezmlm-reject: fatal: Sorry, I don't accept messages larger than 30000
> bytes (#5.2.3)
>
> You can find the attachments at:
> https://gist.github.com/TimWolla/376dd162f7684daef38f76a07254871c
>
> Original message below:
>
> ------------------
>
> On 10/15/22 11:06, Nicolas Grekas wrote:
> >> I'm not surprised by the =E2=80=9Cno=E2=80=9D on the first vote based =
on the previous
> >> discussion. I am surprised however that you also disagree with raising
> >> the E_NOTICE to E_WARNING for consistency.
> >>
> >> I don't plan on repeating all the previous discussion points with you,
> >> but as you mention the Symfony tests specifically: Please find the pat=
ch
> >> attached. Do you believe the expectations in this new test would a
> >> reasonable expectation by a Symfony user?
> >>
> >
> > Since the beginning my point is not that the RFC doesn't have merits.
> It's
> > that the proposed approach breaks BC in a way that will affect the
> > community significantly. We have policies that say we should avoid BC
> > breaks and they should apply here.
> >
> > To anyone wondering about the reality of the BC break if you're not
> > convinced there is one because the original code is broken anyway (whic=
h
> is
> > your main argument Tim IIUC): please have a look at the failures I
> reported
>
> Yes, you understood this correctly: I consider the existing
> implementation to be broken. Unfortunately you did not answer my
> question whether the attached patch would be a reasonable expectation by
> a Symfony user.
>
> Let's presume it is: If I use the 'PhpSerializer' then I expect to
> receive exactly the 'MessageDecodingFailedException' whenever the
> message fails to decode. When decoding an erroneous DateTime (or an
> erroneous SplDoublyLinkedList or whatever) a different Exception will be
> thrown and not caught, thus the contract by the 'PhpSerializer' is
> violated.
>
> Let's fix this using test driven development. We first add the failing
> test cases. This is step1.diff (patches are in
> https://gist.github.com/TimWolla/376dd162f7684daef38f76a07254871c). When
> running the tests we get the following output:
>

I didn't answer the question because we ruled out such payloads in the
discussion thread: constructed payloads like the ones involving DateTime do
not exist in practice. Or if they do, it means the source of the payload is
not trusted, and then we are in much bigger trouble (security issues for
which the RFC can't do anything.)

Breaking BC in the name of such invalid payloads doesn't make an argument
in favor of the RFC.


> Failed asserting that exception message 'Could not decode message using
> PHP serialization: O:13:"ReceivedSt0mp":0:{}.' matches '/class
> "ReceivedSt0mp" not found/'.
>
> Okay, now the Exception message changed. Personally I do not consider
> this a BC break: I believe Exception messages are meant for human
> consumption, not for programs. Otherwise fixing a typo in the message
> would be a BC break. If the code wants to learn about the cause, it
> should either use the '$code' or different types of Exception should be
> thrown to clarify the cause by entering a different catch() block.
>

Yes, the specific error message should be part of the BC promise. This
allows building test suites that can assert the message in a stable way.
This is also why we don't change the output of var_dump/print_r/var_export:
they're written now, in the same of BC, for the best of stability. (I've
barely read any PHP code where exception's code is used in any useful BTW -
that can't be a solution.)

More importantly, the type of thrown exceptions should undoubtedly be part
of the BC promise.
Wrapping exceptions inside UnserializationFailedException breaks existing
catch/instanceof checks (see my PR above.)



> All green! We **did not have to change anything** after fixing the
> implementation in step3a.diff for PHP 8.2 and earlier!
>

We did change the exception hierarchy, both in terms of types and in terms
of stack of "previous". In this specific case, we can discuss the merits of
wrapping all throwables or not. But in doubt the other failing cases I
reported clearly highlight the BC break.

Nicolas

--0000000000008470dc05eb372ac7--