Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75042 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 16184 invoked from network); 23 Jun 2014 07:54:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Jun 2014 07:54:47 -0000 Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.179 as permitted sender) X-PHP-List-Original-Sender: julienpauli@gmail.com X-Host-Fingerprint: 209.85.128.179 mail-ve0-f179.google.com Received: from [209.85.128.179] ([209.85.128.179:37198] helo=mail-ve0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 44/20-14743-64DD7A35 for ; Mon, 23 Jun 2014 03:54:46 -0400 Received: by mail-ve0-f179.google.com with SMTP id sa20so5729455veb.38 for ; Mon, 23 Jun 2014 00:54:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Cfyo+zPnmiYUdxaNZ4GuHMPUm+hiXZZn1O8tz8i5nM0=; b=mDc/QoEwBIKfWbNh9ccauLl0+XcW2kl5+RvW9brcN12dlU6iJfwrh4Wvh4tMn1RHpw uLEdpelkneBPNGBDw1Ep8i+2q61gfxO6nLlZ/ZLBy+UsDNeZ4qL8iKIifpsm1rMWlw0k 3xFMKlciQ4fXCAbvcJVa8VmLxuj6JPoRgYA0zv0nn+DAfgXP7j0CKq4fO+SxfklawHy9 IBKHqYehxfaZR1ubS2ap0lqNWnapLOIHSK5bfm1W1Jy9mm4Sv8LJgKx47c9Yj+oeoWdF K7UcdgykwED04k/UPeoLvOAhIcKIN+2zutRO2sxNjwESLrU9RnodWj50cOs01hgDUjW2 ddFg== X-Received: by 10.58.236.170 with SMTP id uv10mr5355063vec.31.1403510083647; Mon, 23 Jun 2014 00:54:43 -0700 (PDT) MIME-Version: 1.0 Sender: julienpauli@gmail.com Received: by 10.220.81.68 with HTTP; Mon, 23 Jun 2014 00:54:02 -0700 (PDT) In-Reply-To: <53A772D0.3010404@sugarcrm.com> References: <53A1C722.9060501@fedoraproject.org> <53A21137.6010705@sugarcrm.com> <53A2A9BD.1070603@sugarcrm.com> <53A3874E.20704@sugarcrm.com> <53A65578.6000701@sugarcrm.com> <53A772D0.3010404@sugarcrm.com> Date: Mon, 23 Jun 2014 09:54:03 +0200 X-Google-Sender-Auth: 0csEky6jHhPmDKd2sLHgm41BekI Message-ID: To: Stas Malyshev Cc: Ferenc Kovacs , Sebastian Bergmann , Remi Collet , PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: Bug 67072 resolution for 5.4/5.5 From: jpauli@php.net (Julien Pauli) On Mon, Jun 23, 2014 at 2:20 AM, Stas Malyshev wrote: > Hi! > >> for the issue to materialize you need to feed hand-crafted input to >> unserialize, > > True. > >> anybody doing that with user controlled data already asking >> for problems, > > True in theory, in practice this is widely and commonly done. > >> I prefer this over what we have in 5.4/5.5 and given how few classes >> does 1, actually mean, I think it would be an acceptable compromise, but >> let's hear what others think. > > Cool, waiting for others to chime in. > >> ps: I've seen that you created a pull request with the patch, if >> somebody don't wanna copypaste the patch from the mail, here it is: >> https://github.com/php/php-src/pull/701 > > Yes, thanks for quoting it, it seems to be green on Travis and phpunit > also seems to work fine with it. I also added a unit tests with a couple > of cases to see how it's supposed to work. > > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 Hello, I find the compromise nice. The goal is to have something barely working in most use cases for 5.4 and 5.5, and prepare something nicer and stronger for 5.6. So, the proposed patch ( Stas' ) is nice for this, as comon tools still work. I'm also ok for the 5.6 statements : - Disalow O: for classes with custom serializer - Unlock newInstanceArgWithoutConstructor() for internal classes Note that unlocking newInstanceArgWithoutConstructor() for internal classes may require lot of work. Remi already tried to patch some extensions for them to work AFAIR. Julien