Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75921 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67282 invoked from network); 23 Jul 2014 05:58:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Jul 2014 05:58:19 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.48 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.192.48 mail-qg0-f48.google.com Received: from [209.85.192.48] ([209.85.192.48:56945] helo=mail-qg0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 64/6E-21666-9FE4FC35 for ; Wed, 23 Jul 2014 01:58:17 -0400 Received: by mail-qg0-f48.google.com with SMTP id i50so854867qgf.7 for ; Tue, 22 Jul 2014 22:58:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2fOdalSmg78cCkZfEnHWI9XzOblUCg6DkUpCG7QRaf0=; b=pDPP0ox0fDd6jp0xGHFcwxwv7I2+qQq9jD5m2QDkNZ5V7qI0tDAn7CCcWx5FzuUMSs dR5CkZHaI59dPvq+yUGPUsXweGDieUeaj5ov3jsoGF68wcrpgb5T8tiT7uzjO33cJ543 g/t6SrEzFj6Of1Dj2EFlYkMHqfw3H6F9BMksVY1kbv2dkbb6+SkQNpLtGB8mMRfJXLD1 3i7qjEHKfQuXPHC+YmifcuiVkFKRF9tBwB8yHxX+CgCuLs7Hpufy3Kg6dEQgueYNwyiQ wrcSsReogzks2v5Naopp9nkxnXBwboEsS75V0MZPdCXysPHddsqPICPCKwC2CJa7gt39 pTZg== MIME-Version: 1.0 X-Received: by 10.224.172.74 with SMTP id k10mr15364825qaz.43.1406095095411; Tue, 22 Jul 2014 22:58:15 -0700 (PDT) Received: by 10.140.102.111 with HTTP; Tue, 22 Jul 2014 22:58:15 -0700 (PDT) In-Reply-To: References: <53A1C722.9060501@fedoraproject.org> <53A21137.6010705@sugarcrm.com> <53A2A9BD.1070603@sugarcrm.com> <53A3874E.20704@sugarcrm.com> <53A62AFF.4080302@sugarcrm.com> <53B10D59.4060206@sugarcrm.com> Date: Wed, 23 Jul 2014 07:58:15 +0200 Message-ID: To: Julien Pauli Cc: Nikita Popov , Alexey Zakhlestin , Stas Malyshev , Marco Pivetta , Sebastian Bergmann , Remi Collet , PHP Internals Content-Type: multipart/alternative; boundary=001a11c23202aeb9c304fed606da Subject: Re: [PHP-DEV] Problems with the fix for the BC break introduced in 5.4.29 and 5.5.13 From: tyra3l@gmail.com (Ferenc Kovacs) --001a11c23202aeb9c304fed606da Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, Jul 22, 2014 at 6:20 PM, Julien Pauli wrote: > On Tue, Jul 22, 2014 at 2:04 PM, Ferenc Kovacs wrote: > > > > > > > > On Tue, Jul 22, 2014 at 1:48 PM, Nikita Popov > wrote: > >> > >> On Tue, Jul 22, 2014 at 12:27 PM, Ferenc Kovacs > wrote: > >>> > >>> sorry for the late reply. > >>> you are right and after looking into the implementation I think class= es > >>> having custom object storage (eg. create_object) shouldn't assume tha= t > >>> their __construct will be called, but either do the initialization in > the > >>> create_object hook or validate in the other methods that the object w= as > >>> properly initialized. > >>> given that this lack of initialization problem is already present(you > can > >>> extend such a class and have a __construct() in the subclass which > >>> doesn't > >>> call the parent constructor), and we want to keep the unserialize tri= ck > >>> fixed (as that exposes this problems to the remote attacker when some > >>> code > >>> accepts arbitrary serialized data from the client) I see no reason to > >>> keep > >>> the limitation in the ReflectionClass::newInstanceWithoutConstructor(= ) > >>> and > >>> allowing the instantiation of internal classes will provide a clean > >>> upgrade > >>> path to doctrine and co. > >>> ofc. we have to fix the internal classes misusing the constructor for > >>> proper initialization one by one, but that can happen after the initi= al > >>> 5.6.0 release (ofc it would be wonderful if people could lend me a ha= nd > >>> for > >>> fixing as much as we can before the release), but we have to fix thos= e > >>> anyways. > >> > >> > >> This sounds reasonable to me. newInstanceWithoutConstructor does not > have > >> the same remote exploitation concerns as serialize, so allowing crashe= s > here > >> that can also be caused by other means seems okay to me (especially if > we're > >> planning to fix them lateron). Only additional restriction I'd add is = to > >> disallow calling it on an internal + final class. For those the > __construct > >> argument does not apply. For them the entity-extending-internal-class > >> usecase doesn't apply either, so that shouldn't be a problem. > >> > >> Nikita > >> > > > > Thanks for the prompt reply! > > I was considering mentioning the final constructors, but as we previous= ly > > didn't checked that and from a quick look it seems that we are mostly > using > > it as an easy/cheap way to make sure that the object is initialized > properly > > (which could also happen when a subclass calls parent::__construct() fr= om > > it's constructor) which isn't exactly the best usecase for final. > > But I don't really mind having that check. > > I'm +1 also with the idea. > > Just take care to have a clone_handler defined as well, as the default > clone handler doesn't call create_object. > http://lxr.php.net/xref/PHP_5_5/Zend/zend_objects.c#218 > > Julien > thanks, I will keep that in mind when we start moving the initialization from the constructors into the create_object functions. I've also went ahead and created a pull request for the proposed changes: https://github.com/php/php-src/pull/733 as you can see I've taken Nikita's advice and internal classes with final constructors are still not allowed to be instantiated. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --001a11c23202aeb9c304fed606da--