Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128660 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 280FF1A00BC for ; Mon, 8 Sep 2025 20:44:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1757364191; bh=mCpsZgJ1GoEITYwxJbYqqMBMRU0t6UezW9I4hRvEYvA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=lBc8hXEYYwR1wlZbYy1QowB+l5u4qtZ89boNK5dqUMvge1+WwzZx462iVb/JtSO3R 2EfczCHpHU9jqgugL6RLd6P9mlkzKZTsmKds6mvFuRBU0mnkPbCMw134qoAULmNTen aUHAPzxLx7UtFFLPj5/ReC9787x6HgkLXpJTlUHHUGo83ljT3LBuhhljk4RopNDEF/ Fphx3xfb9o8Tw5ern+6fG1iBzOg33/jP13rT8af0ckh3Rd95vaHvWJdnmBhHZbN1UA mllxpxAuhltLxk7Jrzwgs/UqLiy6JF2GaFBS1QpVFUsk5+o1H/bKB/NosH/XaL8GEz Qf7J97lGY/atA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 19E5A1801E8 for ; Mon, 8 Sep 2025 20:43:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 8 Sep 2025 20:43:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1757364275; bh=lrRif60/6dSVHJ6wXvvYe89+Om9vkFcuK5nD4bbJuDc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=mu5/JJX0WeffwRnSGYbxxO1aJx3AmGR+gpFkvRXE+kDWpzgVtUqOjUxoYgi8AyYkw XW72TBsxeDwyOM7ZttkaNqPv4Yyh94GyAkPWrHPQqjap5JzY9gbQOg19Px17HAJapz EDRtMvmowmmZ7hzZPSaM6rFE1aiLtDlBt3VmzVo6tr9Yx0fLNH6wZ3duyaQ2r/M+1G LW6KG7xWAYyfuYPoiPkXsGdErgHbabXNtasNCwz8/YQ+V6yswS6bXDSzVE2ClthUsf /lIkaqWFcmjfX1n2/xp99UU06+os1Rt2xjMg5ji7aQcQGv/pPKNz+FQnLt2PSRJe9g hvWdQ/4nOgxrg== Message-ID: Date: Mon, 8 Sep 2025 22:44:33 +0200 Precedence: list list-help: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 Subject: Re: [PHP-DEV] [RFC] Soft-Deprecate __sleep() and __wakeup() To: Jakub Zelenka Cc: Nicolas Grekas , PHP Internals List References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi On 9/8/25 17:32, Jakub Zelenka wrote: > I think the point here was that it was close and the RFC itself was Again, a 2/3 majority is *not* close. Twice the number of folks were in favor than against the RFC. > misleading and omitted some important points that would like change the > final result. I concede that “straight up improvement” might not be perfectly accurate for `__wakeup()`, but for `__sleep()` it *is* accurate. `__sleep()` is broken and there's a straight-forward migration to `__serialize()`. I appreciate that both of you communicated your concerns with the proposed deprecation during the discussion, but you basically just said “I believe the impact is too large”, which is not actionable feedback for the RFC author and also doesn't help voters make an educated decision. The point of the discussion phase is figuring out these details together. >> The serialization mechanism is also a security sensitive part of the >> language, the fewer moving parts there are, the better. Security is part >> of the motivation for me. >> >> > Could you be more specific here? We do not consider issues (crashes and > similar) resulting from unserializing of the serialized string as security > issues because it must not come from the untrusted source (see > https://www.php.net/manual/en/function.unserialize.php ). I don't remember > any security issue in serialize / unserialize since this rule was set. Even when only dealing with trusted data, unserialize needs to parse inputs (which is already sufficiently dangerous in C) and it also needs to deal with partial(ly initialized) object graphs all while executing arbitrary (userland) code that may or may not interact in weird ways (e.g. when error handlers get involved due to a bug in a custom unserialize hook). And of course there can also be bugs with the serializer that result in “trusted” output that triggers unexpected and untested code-paths, particularly when references or cycles get involved. When running with mixed PHP versions during an incremental upgrade it might also be possible for serialization data to be emitted by newer PHP versions that may not be anticipated by older PHP versions and that trigger unexpected code-paths. And then there's also stuff like https://wiki.php.net/rfc/unserialize_warn_on_trailing_data, which can happen due to bugs in a userland implementation even when not doing unserialize($_GET['stuff']). Saying that “unserialize is not security-relevant because you must only feed it safe inputs” as an excuse to avoid making unserialize safer is not helping anyone and is downplaying the risks involved in unserialization. For all those reasons, I've intentionally tried to make the unserialization hooks as robust as possible during review of newly added classes (e.g. ext/random, ext/uri, and also https://github.com/php/php-src/pull/19447), making them carefully check the structure of the serialization input and also having tests that verify robustness even when facing untrusted inputs, because that's just something that will happen in the real world, despite the documentation advising against it. Best regards Tim Düsterhus