Hello everyone!
I’ve been working on fix for following bug: https://bugs.php.net/bug.php?id=74063 https://bugs.php.net/bug.php?id=74063
As it became clear after discussion under proposed pull request here https://github.com/php/php-src/pull/2378 https://github.com/php/php-src/pull/2378
there is no single way how to handle serialization of internal classes.
As Nikita Popov proposed it might be good to add “get_properties_for_serialize handler (or similar), which is a variant of get_properties that is used for serialization (and returns a temporary HT). This would allow us to use wakeup-based unserialization without leaking additional (PHP-level) properties.”
Thanks!
Andrew Nester
Bump on this thread because I would like to hear some feedback.
Thanks!
Hello everyone!
I’ve been working on fix for following bug: https://bugs.php.net/bug.php?id=74063 https://bugs.php.net/bug.php?id=74063
As it became clear after discussion under proposed pull request here https://github.com/php/php-src/pull/2378 https://github.com/php/php-src/pull/2378
there is no single way how to handle serialization of internal classes.As Nikita Popov proposed it might be good to add “get_properties_for_serialize handler (or similar), which is a variant of get_properties that is used for serialization (and returns a temporary HT). This would allow us to use wakeup-based unserialization without leaking additional (PHP-level) properties.”
Thanks!
Andrew Nester