Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:119748
Return-Path: <larry@garfieldtech.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11259 invoked from network); 27 Mar 2023 22:23:19 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Mar 2023 22:23:19 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B3508180341
	for <internals@lists.php.net>; Mon, 27 Mar 2023 15:23:18 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS19151 66.111.4.0/24
X-Spam-Virus: No
X-Envelope-From: <larry@garfieldtech.com>
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 27 Mar 2023 15:23:18 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.nyi.internal (Postfix) with ESMTP id 9A4075C015E
	for <internals@lists.php.net>; Mon, 27 Mar 2023 18:23:17 -0400 (EDT)
Received: from imap50 ([10.202.2.100])
  by compute4.internal (MEProxy); Mon, 27 Mar 2023 18:23:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	garfieldtech.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to; s=fm2; t=1679955797; x=1680042197; bh=+7oIHp9LvF
	O/MYoeCfFJFxiJTo9S+WwDRyL3TDx34Fw=; b=zmzyVI2VRHexl0KSV8yLZUmw4k
	h71mE6fz80oPtt+F5VgjdLpVyb4d4xWxIGEJTV55LCrHV27fSQuPjOI0+DL9HG3l
	JMZ83EKltkvEHYQwCVJyC0MT1ioFEbaGLRfUwDh0No8jOlNvOqUsvwa94yDoo9jT
	+KcOvLJT+z2djxd6I10WMm22kIdMW+ErEnCvJaRDm9kfHp/S7WTQ3K7wlyWJiHkB
	bMMbzepI9yEqf5QFZVdXBamfNFR8Dwlws/g4nwLJnFIs/ruRW76r+/r2PUFGjQWA
	WQFM/3XmDyvXotmA+d/4emowP482aB4dqQtjQbsx8fjE4Kpbbnld+5auDdBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1679955797; x=
	1680042197; bh=+7oIHp9LvFO/MYoeCfFJFxiJTo9S+WwDRyL3TDx34Fw=; b=v
	VHFSDxfzmqayZ7dl9JkgzbSCK7jbSX+LWdZ0frTj1sbjzqTEF3ttY2lGJfNMLb0e
	Ke3+q3yrycYxpsjBummrXPGUW5c7saj7I+iiB5ii41qiRBep8iG/NEqsPXV3PEtU
	QAjSpmxVzW6qdS4F7sV6o3N6cibxyyVEiDh0mpraoAGBHrD/r1xQJaHySsHkTw8M
	bbP2dF3GJIen6bs9iPPH0XILYkT8r0PF56Ds0LFIjAFF0FyGJmfFw3gVkwP4Hwqz
	AoHi23zWinPzVu0h230KiRbXgQBdt3Wg7DBFXoK6vCxZVrUAPwG1W7WcqnA/6h+7
	zd/DhIrFzrMGJzYrxMpDg==
X-ME-Sender: <xms:VRciZFnGq5vie1Ya_Nn9261AhxzZS7RokfoMROIup8VVWPZUUeT2Pg>
    <xme:VRciZA2GWewFySeYN7TjidzBOHpbBTppLZMPi7X3-MFqUoWahOaDKYNBAuVQsCj3V
    D0TAebNOG8XMQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdehfedgudduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfnfgr
    rhhrhicuifgrrhhfihgvlhgufdcuoehlrghrrhihsehgrghrfhhivghlughtvggthhdrtg
    homheqnecuggftrfgrthhtvghrnhepffffffejffdugfegvedviedttedvgfejffefffej
    leefjeetveehgefhhfdvgfelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe
    hmrghilhhfrhhomheplhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrdgtohhm
X-ME-Proxy: <xmx:VRciZLoZ6uHtPB4OsfNa585KNw1wjeM1JZkOcQlBWANo-vhCuqjNmQ>
    <xmx:VRciZFl8JcwWEDV1GncprmLKWxRURnZbS0y8uzzRf8ADCqIUgqaObg>
    <xmx:VRciZD2s_aX6X-WHVzYxlP9o-aHOyhQeTb0AfdnYi4Xrv0i7UEZJeQ>
    <xmx:VRciZK3zGkGV7im0kLH5lXTSOYS8PcZeISjKtpLsb4fz4NnD8CT3eQ>
Feedback-ID: i8414410d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 4D0A9170009C; Mon, 27 Mar 2023 18:23:17 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-236-g06c0f70e43-fm-20230313.001-g06c0f70e
Mime-Version: 1.0
Message-ID: <e0a3a96c-63f3-4503-bb98-d997af3d316f@app.fastmail.com>
In-Reply-To: <1B77BC20-4EA6-453B-A39B-2406A4E53436@dafert.at>
References: <f37f233b-6645-d618-0868-78cbadb649a2@bastelstu.be>
 <CABdc3WovbsYH2BTsTbeD71bSfM44C1nocXtoxQpPo=E2Fq4iLQ@mail.gmail.com>
 <1B77BC20-4EA6-453B-A39B-2406A4E53436@dafert.at>
Date: Mon, 27 Mar 2023 17:22:57 -0500
To: "php internals" <internals@lists.php.net>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC [Discussion]: Make unserialize() emit a warning for trailing
 bytes
From: larry@garfieldtech.com ("Larry Garfield")

On Mon, Mar 27, 2023, at 2:12 PM, Mel Dafert wrote:
> On 27 March 2023 20:20:58 CEST, "Micha=C5=82 Marcin Brzuchalski"=20
> <michal.brzuchalski@gmail.com> wrote:
>> Personally, I'd like the unserialize to throw an exception if trailing
>>bytes are detected.
>>If not by default then with the use of the option passed to unserialize
>>function.
>
> If that's the desired direction, it makes more sense to emit a=20
> deprecation notice
> now and throw an exception starting in 9.0.
>
> Regards,
> Mel Dafert

I would also favor throwing an exception.  This is a security vector bei=
ng closed, and that should be closed *hard*.  Warnings tend to show up w=
here they're not useful (dev) and get not noticed where they are (prod).=
  Go all the way to an exception here.

I'm flexible on if that happens in 8.3 or 9.  Maybe warning now, with ex=
ception in 9?  I don't know if that's better from a BC POV, but it shoul=
d end up as an exception.

--Larry Garfield