Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119751 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 37573 invoked from network); 28 Mar 2023 07:28:00 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 28 Mar 2023 07:28:00 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id DF70718037E for ; Tue, 28 Mar 2023 00:27:59 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15623 212.45.192.0/19 X-Spam-Virus: No X-Envelope-From: Received: from mail.gna.ch (mail.gna.ch [212.45.196.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 28 Mar 2023 00:27:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by darkcity.gna.ch (Postfix) with ESMTP id B303D3A1DCB for ; Tue, 28 Mar 2023 09:27:58 +0200 (CEST) X-Virus-Scanned: amavisd-new at example.com Received: from mail.gna.ch ([127.0.0.1]) by localhost (darkcity.gna.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nh6_cdIZTFda for ; Tue, 28 Mar 2023 09:27:58 +0200 (CEST) Received: from smtpclient.apple (unknown [IPv6:2a02:1210:2ea4:cf00:d5f5:91d7:c707:e14c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by darkcity.gna.ch (Postfix) with ESMTPSA id 48EC53A1DC0 for ; Tue, 28 Mar 2023 09:27:58 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\)) Date: Tue, 28 Mar 2023 09:27:58 +0200 References: <1B77BC20-4EA6-453B-A39B-2406A4E53436@dafert.at> To: php internals In-Reply-To: Message-ID: <8E30718D-80AB-4631-9B5A-47499AF21CB0@cschneid.com> X-Mailer: Apple Mail (2.3731.400.51.1.1) Subject: Re: [PHP-DEV] RFC [Discussion]: Make unserialize() emit a warning for trailing bytes From: cschneid@cschneid.com (Christian Schneider) Am 28.03.2023 um 00:22 schrieb Larry Garfield : > On Mon, Mar 27, 2023, at 2:12 PM, Mel Dafert wrote: >> On 27 March 2023 20:20:58 CEST, "Micha=C5=82 Marcin Brzuchalski"=20 >> wrote: >>> Personally, I'd like the unserialize to throw an exception if = trailing bytes are detected. >>> If not by default then with the use of the option passed to = unserialize function. >>=20 >> If that's the desired direction, it makes more sense to emit a=20 >> deprecation notice now and throw an exception starting in 9.0. >=20 > I would also favor throwing an exception. This is a security vector = being closed, and that should be closed *hard*. Warnings tend to show = up where they're not useful (dev) and get not noticed where they are = (prod). Go all the way to an exception here. I'm not sure why you say this because our set up is the opposite: On dev = the warnings are on screen (and could potentially be missed), on = production they generate an alert so they are much harder to miss. = That's a set up I would recommend, it has worked well for us in = maintaining quite an old code base while migrating it to the current PHP = version. > I'm flexible on if that happens in 8.3 or 9. Maybe warning now, with = exception in 9? I don't know if that's better from a BC POV, but it = should end up as an exception. I'm generally in favor of going through a warning phase before switching = to an exception but if the people here consider this a real security = issue I wouldn't rally against an exception. Regards, - Chris