Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:128661
Precedence: list
MIME-Version: 1.0
References: <CAOWwgpk1Z_bns=Z55TqpYOBXvBGpurMfjTGPSgQ6Uf5QXfLOjg@mail.gmail.com>
 <cddcbba0366184b616e34637b424645e@bastelstu.be> <CAEKnhAFFgpBSOU+yTAfvY6_ndZwOmKvOKZG=F2+mamqkJPfrrQ@mail.gmail.com>
 <b7d35ecd-d68a-45e8-be88-792a15b3d79b@bastelstu.be>
In-Reply-To: <b7d35ecd-d68a-45e8-be88-792a15b3d79b@bastelstu.be>
Date: Mon, 8 Sep 2025 23:14:24 +0200
Message-ID: <CAEKnhAHxBZORfkByM-EuBpc1CYiY=3FkwsgBsSubxfChKpXAww@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] Soft-Deprecate __sleep() and __wakeup()
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: Nicolas Grekas <nicolas.grekas+php@gmail.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000b2f770063e50ac38"
From: bukka@php.net (Jakub Zelenka)

--000000000000b2f770063e50ac38
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Mon, Sep 8, 2025 at 10:44=E2=80=AFPM Tim D=C3=BCsterhus <tim@bastelstu.b=
e> wrote:

> Hi
>
> On 9/8/25 17:32, Jakub Zelenka wrote:
> > I think the point here was that it was close and the RFC itself was
>
> Again, a 2/3 majority is *not* close. Twice the number of folks were in
> favor than against the RFC.
>
>
I meant close to the actual threshold (not close vote). Again if single
person changed their mind because of the facts below (which is quite
likely), it might not have passed.

This RFC is just about to see if people can see that there is significantly
more effort needed for this migration. It just tries to make sure that
people can vote on the right description. If they don't think, that's wort
it to change the result, then so be it. But I think it's fair to provide an
RFC with a correct description so it can be properly decided.


> > misleading and omitted some important points that would like change the
> > final result.
>
> I concede that =E2=80=9Cstraight up improvement=E2=80=9D might not be per=
fectly accurate
> for `__wakeup()`, but for `__sleep()` it *is* accurate. `__sleep()` is
> broken and there's a straight-forward migration to `__serialize()`.
>
> I appreciate that both of you communicated your concerns with the
> proposed deprecation during the discussion, but you basically just said
> =E2=80=9CI believe the impact is too large=E2=80=9D, which is not actiona=
ble feedback
> for the RFC author and also doesn't help voters make an educated
> decision. The point of the discussion phase is figuring out these
> details together.
>
>
Yeah as I mentioned it was also my fault not to point this out sooner but
it's hard to verify every single thing in detail if there are like 50
deprecations proposed.


> >> The serialization mechanism is also a security sensitive part of the
> >> language, the fewer moving parts there are, the better. Security is pa=
rt
> >> of the motivation for me.
> >>
> >>
> > Could you be more specific here? We do not consider issues (crashes and
> > similar) resulting from unserializing of the serialized string as
> security
> > issues because it must not come from the untrusted source (see
> > https://www.php.net/manual/en/function.unserialize.php ). I don't
> remember
> > any security issue in serialize / unserialize since this rule was set.
>
> Even when only dealing with trusted data, unserialize needs to parse
> inputs (which is already sufficiently dangerous in C) and it also needs
> to deal with partial(ly initialized) object graphs all while executing
> arbitrary (userland) code that may or may not interact in weird ways
> (e.g. when error handlers get involved due to a bug in a custom
> unserialize hook). And of course there can also be bugs with the
> serializer that result in =E2=80=9Ctrusted=E2=80=9D output that triggers =
unexpected and
> untested code-paths, particularly when references or cycles get
> involved. When running with mixed PHP versions during an incremental
> upgrade it might also be possible for serialization data to be emitted
> by newer PHP versions that may not be anticipated by older PHP versions
> and that trigger unexpected code-paths.
>
>
I understand your concern about the complexity but this can apply to many
other parts in php-src. As I'm sure you know, this still wouldn't likely to
be considered as a security issue.


> And then there's also stuff like
> https://wiki.php.net/rfc/unserialize_warn_on_trailing_data, which can
> happen due to bugs in a userland implementation even when not doing
> unserialize($_GET['stuff']).
>
>
This could be closer but we wouldn't like find exploit either. At least
this wasn't even raised as a security issue so I guess you were expecting
that not to be a security problem.


> Saying that =E2=80=9Cunserialize is not security-relevant because you mus=
t only
> feed it safe inputs=E2=80=9D as an excuse to avoid making unserialize saf=
er is
> not helping anyone and is downplaying the risks involved in
> unserialization.
>
>
I don't have problem with making unserialize safer as there might be users
that use it improperly.  But we shouldn't be saying that this is a security
sensitive part when we don't consider those sort of issues as security
issues because none of those issues will get fixed in our security support
only releases. In that sense I don't think we can consider it as a security
sensitive part.

Kind regards

Jakub

--000000000000b2f770063e50ac38
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><br><div class=3D"gmail_quote gmail_quote_co=
ntainer"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Sep 8, 2025 at 10:44=
=E2=80=AFPM Tim D=C3=BCsterhus &lt;<a href=3D"mailto:tim@bastelstu.be">tim@=
bastelstu.be</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin=
g-left:1ex">Hi<br>
<br>
On 9/8/25 17:32, Jakub Zelenka wrote:<br>
&gt; I think the point here was that it was close and the RFC itself was<br=
>
<br>
Again, a 2/3 majority is *not* close. Twice the number of folks were in <br=
>
favor than against the RFC.<br>
<br></blockquote><div><br></div><div>I meant close to the actual threshold =
(not close vote). Again if single person changed their mind because of the =
facts below (which is quite likely), it might not have passed.</div><div><b=
r></div><div>This RFC is just about to see if people can see that there is =
significantly more effort needed for this migration. It just tries to make =
sure that people can vote on the right description. If they don&#39;t think=
, that&#39;s wort it to change the result, then so be it. But I think it=
9;s fair to provide an RFC with a correct description so it can be properly=
 decided.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex">
&gt; misleading and omitted some important points that would like change th=
e<br>
&gt; final result.<br>
<br>
I concede that =E2=80=9Cstraight up improvement=E2=80=9D might not be perfe=
ctly accurate <br>
for `__wakeup()`, but for `__sleep()` it *is* accurate. `__sleep()` is <br>
broken and there&#39;s a straight-forward migration to `__serialize()`.<br>
<br>
I appreciate that both of you communicated your concerns with the <br>
proposed deprecation during the discussion, but you basically just said <br=
>
=E2=80=9CI believe the impact is too large=E2=80=9D, which is not actionabl=
e feedback <br>
for the RFC author and also doesn&#39;t help voters make an educated <br>
decision. The point of the discussion phase is figuring out these <br>
details together.<br>
<br></blockquote><div><br></div><div>Yeah as I mentioned it was also my fau=
lt not to point this out sooner but it&#39;s hard to verify every single th=
ing in detail if there are like 50 deprecations proposed.</div><div>=C2=A0<=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt;&gt; The serialization mechanism is also a security sensitive part of t=
he<br>
&gt;&gt; language, the fewer moving parts there are, the better. Security i=
s part<br>
&gt;&gt; of the motivation for me.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt; Could you be more specific here? We do not consider issues (crashes an=
d<br>
&gt; similar) resulting from unserializing of the serialized string as secu=
rity<br>
&gt; issues because it must not come from the untrusted source (see<br>
&gt; <a href=3D"https://www.php.net/manual/en/function.unserialize.php" rel=
=3D"noreferrer" target=3D"_blank">https://www.php.net/manual/en/function.un=
serialize.php</a> ). I don&#39;t remember<br>
&gt; any security issue in serialize / unserialize since this rule was set.=
<br>
<br>
Even when only dealing with trusted data, unserialize needs to parse <br>
inputs (which is already sufficiently dangerous in C) and it also needs <br=
>
to deal with partial(ly initialized) object graphs all while executing <br>
arbitrary (userland) code that may or may not interact in weird ways <br>
(e.g. when error handlers get involved due to a bug in a custom <br>
unserialize hook). And of course there can also be bugs with the <br>
serializer that result in =E2=80=9Ctrusted=E2=80=9D output that triggers un=
expected and <br>
untested code-paths, particularly when references or cycles get <br>
involved. When running with mixed PHP versions during an incremental <br>
upgrade it might also be possible for serialization data to be emitted <br>
by newer PHP versions that may not be anticipated by older PHP versions <br=
>
and that trigger unexpected code-paths.<br>
<br></blockquote><div><br></div><div>I understand your concern about the co=
mplexity but this can apply to many other parts in php-src. As I&#39;m sure=
 you know, this still wouldn&#39;t likely to be considered as a security is=
sue.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">
And then there&#39;s also stuff like <br>
<a href=3D"https://wiki.php.net/rfc/unserialize_warn_on_trailing_data" rel=
=3D"noreferrer" target=3D"_blank">https://wiki.php.net/rfc/unserialize_warn=
_on_trailing_data</a>, which can <br>
happen due to bugs in a userland implementation even when not doing <br>
unserialize($_GET[&#39;stuff&#39;]).<br>
<br></blockquote><div><br></div><div>This could be closer but we wouldn&#39=
;t like find exploit either. At least this wasn&#39;t even raised as a secu=
rity issue so I guess you were expecting that not to be a security problem.=
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Saying that =E2=80=9Cunserialize is not security-relevant because you must =
only <br>
feed it safe inputs=E2=80=9D as an excuse to avoid making unserialize safer=
 is <br>
not helping anyone and is downplaying the risks involved in unserialization=
.<br>
<br></blockquote><div><br></div><div>I don&#39;t have problem with making u=
nserialize safer as there might be users that use it improperly.=C2=A0 But =
we shouldn&#39;t be saying that this is a security sensitive part when we d=
on&#39;t consider those sort of issues as security issues because none of t=
hose issues will get fixed in our security support only releases. In that s=
ense I don&#39;t think we can consider it as a security sensitive part.</di=
v><div><br></div><div>Kind regards</div><div><br></div><div>Jakub</div><div=
><br></div><div><br></div></div></div>

--000000000000b2f770063e50ac38--