Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87460 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6581 invoked from network); 31 Jul 2015 21:23:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2015 21:23:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.49 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.215.49 mail-la0-f49.google.com Received: from [209.85.215.49] ([209.85.215.49:33148] helo=mail-la0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7A/23-24609-A37EBB55 for ; Fri, 31 Jul 2015 17:23:07 -0400 Received: by labks4 with SMTP id ks4so6045782lab.0 for ; Fri, 31 Jul 2015 14:23:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Houxld0K4sMq8/5H9JCEOMiElLTmifrl7u2yPYF+ByE=; b=sAp1gogES2StKFy4CxvLinzqoAO5ie6qd0ndLmgl+euXisfeDbNliaGdJ99NV/iRFH vbrAjV7vakrnp0BQg+wgE7HS8CoFHfly8hh3REdGP9JnAuGGs+OMuVtdaNff1xBF6V59 Ml3LdU7WL+tqlviMXXpwfWMm+4WADqqqL+a7AnmsEH4HtlFV3+bqb2wR0Hl0btGbSnj0 9sfAkgI6iFPHES5gTKUpppx0QVBAYRkz1p288JUyVGEEy2ZZ6P32P72rTAnNJCpiM3+R 4DdBomKtYrj4Dabt3dJSOMRb+MEedTD3D0BN/gy82/lHxrFi2lChmK2nP5iBYPz2hspi yt9Q== MIME-Version: 1.0 X-Received: by 10.152.116.13 with SMTP id js13mr5371377lab.62.1438377783806; Fri, 31 Jul 2015 14:23:03 -0700 (PDT) Received: by 10.152.43.105 with HTTP; Fri, 31 Jul 2015 14:23:03 -0700 (PDT) In-Reply-To: <55BBD2EE.2070008@gmail.com> References: <550FA2ED.6080000@gmail.com> <55B7B08E.7070700@gmail.com> <55BBD2EE.2070008@gmail.com> Date: Fri, 31 Jul 2015 23:23:03 +0200 Message-ID: To: Stanislav Malyshev Cc: Nikita Popov , PHP Internals Content-Type: multipart/alternative; boundary=001a11c3416cdb5355051c326c81 Subject: Re: [PHP-DEV] Re: Serializing exceptions From: tyra3l@gmail.com (Ferenc Kovacs) --001a11c3416cdb5355051c326c81 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Jul 31, 2015 at 9:56 PM, Stanislav Malyshev wrote: > Hi! > > > Personally I feel the restoring them impossible argument weak, consider > > that we allow stuff like serializing resources without even a notice. > > Not sure what you mean by that. If you try to serialize resource, you > just get an integer. Not ideal, as a remanant of the times in PHP where > the approach was "if it doesn't make sense, do whatever and hope the > user is ok with that", but certainly it's not "serializing resources". > your argument was that we shouldn't allow serialization of such items where after the unserliazion you won't get the same thing back. this is where my point about we allow serializing resources just fine was aimed at. > It's "ignoring resources when serializing and producing integers > instead". Replacing Exceptions with integers probably won't work that > well :) > nobody suggested replacing Exceptions with integers, but serializing Closure to "Closure #1" or similar (albeit we could even do a better job, similarly how java8 supports lambda serialization). > > > Based on my own experiences where I had to fix multiple apps when we > > introduced the unserializable Closure (mostly error logger and debuggin= g > > tools) which got passed as argument in the backtrace I would prefer if > > we could remove that restriction. > > I don't see how we can really remove the underlying problem - Exceptions > contain backtraces, which means serializing them tries to serialize a > ton of stuff that may be not only not serializable but outright > dangerous to carry around - such as keys, passwords, etc. var_export() shares the same problem, should we then also try to remove __toString() from closures? or try for looking for passwords or credit card data in the variable? I think that your argument is really streched. I'm not saying that we should give more rope for the developers to hang themselves but the current situations sucks (you can serialize basically anything but Closure) and I think that your suggested way of solving the problem would create a medium sized BC break for little gain as it would only fix a specific scenario (people like in your SO link in the opening post would still try to debug_backtrace() from their logger/debugger which would trigger the same problem that the Closure arg can't be serialized). > Given how many > problems we have had with serialization of complex objects lately, and > given that I still see absolutely no practical use of actually > serializing exceptions I would rather remove it and reduce the > vulnerable surface than keep dealing with dozens of issues that continue > to pop up from that. > that's true, but you would only remove a single attack vector via removing an otherwise useful feature those issues would be still present, still reported, we should still fix then, even if you can't trigger them via an exception logger but a session unserialized. > BTW what you mean by "unserializable Closure"? As far as I know you can > not serialize Closure. > I mean exactly that and btw. that was the original problem in the Stackoverflow post you cited in your opening post ( http://stackoverflow.com/questions/9747813/storing-a-php-exception-object-i= n-a-database ). --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --001a11c3416cdb5355051c326c81--