Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118858
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97891 invoked from network); 20 Oct 2022 13:41:41 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 20 Oct 2022 13:41:41 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1BE80180054
	for <internals@lists.php.net>; Thu, 20 Oct 2022 06:41:41 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-ua1-f41.google.com (mail-ua1-f41.google.com [209.85.222.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 20 Oct 2022 06:41:40 -0700 (PDT)
Received: by mail-ua1-f41.google.com with SMTP id p4so9243330uao.0
        for <internals@lists.php.net>; Thu, 20 Oct 2022 06:41:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20210112.gappssmtp.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RRqe0y/gCba7hxtqkRPm4K/RI0FLqyb5EytWqbCINzA=;
        b=5GjRDe9TrWEwk4DAXs1btqNFzbmILXwM0ffY4CRB4tOC0pqhe8sRm4QFEuwiC6Kkjq
         uqyf9t2fah6GXLHXox8n/u72X198XXohULAEuW/RAWdrQrOoQU1EpKAGiIpYQS+EQsup
         GWN2IEF53W/cYlreWvVioW4kU7JdSVakQYCUaVM5RrBciu5NpDKPzO0hHOBljRKt/XWJ
         4yQQFLw1jJ+UXhOWHhY+o5Wxdz455r0bDoibyhEm1APypWWt5TGHjfdE31ymhF3yKAk8
         YXasdhAvWOZeCMNBBZczZICUM/w1BHDB3sbW9PtoqYeDQnj/kEzcyAn291UvGgovIIaE
         VEuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=RRqe0y/gCba7hxtqkRPm4K/RI0FLqyb5EytWqbCINzA=;
        b=yWNZSeNWqR52kyO1q4PFIHrbV2SihBdWDDjCGglQWYv2BdRTot7NwfSOCaAigF8J66
         JgJVYEnYklg09oGe4HBIcDI6CRyLPfyga30R/e+twiByQsBez3UxVbZBov5maiDiGrsT
         d8pY8d4VjxtkRNlhrEbrSgIhFp9bmScCb4FS3lzDkuRKCbypyx6BFweA0msLfme8rhb6
         mA/hk+FBdLA6YwhI+2CoBKtvinFo0hVcp952cIKBuTnil5IBWfWWkk798NMnLVQK3Yw8
         4uhxVBdaAuaina2UVp9HUakF+mJL1WRksyU7QXuntRR8rjBYIrRiSx5pHhYPGOTOKzB7
         ADfw==
X-Gm-Message-State: ACrzQf3Ry8ZdH2h1t1pdY9PkEMoUydAQq7eE++tlT1zme4P4XIW1VxBS
	uQkbSh5J3r/cGs1q3wfnmjoKLELdz2soch4BNgCgbBCN0u/zkA==
X-Google-Smtp-Source: AMsMyM4G0zTKfebivXzRFTdQ266ltMiocj6Pc6XA4lRZnuCGOTE+hIwcXZIP8g3meQriyRgtzcIoMJcbEpXjzMPx368=
X-Received: by 2002:a67:fd73:0:b0:3a7:11e5:d909 with SMTP id
 h19-20020a67fd73000000b003a711e5d909mr6657153vsa.27.1666273299658; Thu, 20
 Oct 2022 06:41:39 -0700 (PDT)
MIME-Version: 1.0
References: <22177032-fe72-c39b-63fe-fa4368a70852@bastelstu.be>
 <CA+kxMuR=371QXKbD_OVRu+oS7=_qPtL1yN93651wmH-vVVzGhw@mail.gmail.com> <96df967d-c5e8-9c56-bc6d-9858e28294fa@bastelstu.be>
In-Reply-To: <96df967d-c5e8-9c56-bc6d-9858e28294fa@bastelstu.be>
Date: Thu, 20 Oct 2022 15:40:59 +0200
Message-ID: <CA+kxMuSMBG54uLGOM7EGFumxoVKNEi-nG_mZ3BnF6y0epJ=MKA@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [VOTE] Improve unserialize() error handling
From: Danack@basereality.com (Dan Ackroyd)

On Wed, 19 Oct 2022 at 19:11, Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:
>
> While the behavior would in fact change, it would not introduce a
> "security issue" if this what you were hinting at.

No, just that it would break in production, and then have to be fixed
after a live site was already affecting end-users.

> This would just result in an uncaught Exception which should
> be very visible in your error tracking service.

My impression is that most web-servers running PHP don't have those.

For people who run most sites, the first they would know about it is
when end-users started complaining.

cheers
Dan
Ack