Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94232 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74728 invoked from network); 23 Jun 2016 17:54:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Jun 2016 17:54:06 -0000 Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.214.46 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 209.85.214.46 mail-it0-f46.google.com Received: from [209.85.214.46] ([209.85.214.46:36863] helo=mail-it0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8D/00-08667-B322C675 for ; Thu, 23 Jun 2016 13:54:03 -0400 Received: by mail-it0-f46.google.com with SMTP id a5so133026621ita.1 for ; Thu, 23 Jun 2016 10:54:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=golemon-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:from:date:message-id:subject:to; bh=yhq4m5cxmIp0okjdd/phcB/Zoxh5ydMawSRaxDijhE4=; b=Gdh3DZKxO23aaQ2byloOXE4ekZs1pka2MhcDMuIFQbg9QWIMNTfUuCw49LlOLzbb5r H6geD4NANSsu15T6hzQSYmQ1OOVqpH9cG9mqkN4CSIM913ROyJwSpSt/Fnako7Vsmjrk blfOp6ZGHJhozHWMp/ERPma/CI7tojJtDKAtf6pHGCfK95Sgaf3Ys3maPlqVVcDbtjeI 0auRx/BiRWqP15WzSjXeE4kaIyeHFle/TY4x+S75V8MXoMQm+9+bXdTvS+91YVADYKix GfW7XIeFeE0SxTt6FtMj4tRn/FdJy0Lw5iswFAw2FRyS9tGpwJ6Jucg7LdgM7QecUJDy +8fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=yhq4m5cxmIp0okjdd/phcB/Zoxh5ydMawSRaxDijhE4=; b=SiC74jy5shquQbYWpeT+K8Thghzc+ynkJqt+L1bVCf6Nj2tf2UxwUwblJLocAWDCTG sT9tE2Ec3syVdunzc0Ahw3CY/MtV5nIPtwyJ/sNy75CgA0qN5AbuXgu10AHCQQ7A4CLh oSLBhOJ4HdZMu5h37TYIFd3ab+jtiKdC4JQCJjzcuQYpw4zXznksQ6yEyC/pX9uyR6g8 m6sf/km/13O9GATrThrjPD/DZ8iG2mCN/WOK7R20GxygeZOCjlwnxDLs9XEqpmL7wjX6 oZ+Q699OFwcwEvS8Q1t0Vi1FvG2SInscMuiodPskBGyBUEV2/Y+xFq7dAPe69TZTdtR+ KGOg== X-Gm-Message-State: ALyK8tISYCQccvfRUNIW+kGQmcqFuIcOVYiL/JI0y5nUzgQ4h+jyfteUm2InyRvxLALYr8i+MVlM8W+K/Cxlcg== X-Received: by 10.36.228.133 with SMTP id o127mr2138202ith.9.1466704439609; Thu, 23 Jun 2016 10:53:59 -0700 (PDT) MIME-Version: 1.0 Sender: php@golemon.com Received: by 10.36.9.67 with HTTP; Thu, 23 Jun 2016 10:53:58 -0700 (PDT) X-Originating-IP: [212.78.164.170] Date: Thu, 23 Jun 2016 19:53:58 +0200 X-Google-Sender-Auth: w4moRsa1TA8OE8sgpKQH5tX2GvA Message-ID: To: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: [Bug #68319] unserialize() with modified class definition. From: pollita@php.net (Sara Golemon) https://bugs.php.net/bug.php?id=68319 https://3v4l.org/irnRC The crux is this: * Object instance gets serialized with one definition, maybe stored in DB/file, whatever, the serialized value lives on. * Class definition changes slightly. In this case, a property changes visibility. * Serialized value is unserialized. The prop visibilities don't match. * PHP says, "Eh, whatevs, I'll make a dynamic prop of the same name." Possible resolutions: 1: Raise a warning and return false (as unserialize already does for parse errors) 2: Raise a warning and "correct" the visibility to match the current class definition 3: Raise a warning and continue duplicating the properties I don't think we need to be as terrible as option 3 since any code facing this problem right now can't actually access the unserialized value and is therefore broken in much worse ways. I think option 2 presents its own unquantified risks and should probably be avoided. So obviously, I vote option 1, but I'd like to get other's thoughts and opinions before addressing this bug. I'm going to go ahead and say ignore what HHVM does here. In this specific case they basically take option 2, but in the inverse case https://3v4l.org/ecM1Q they're precisely as broken as we are. -Sara