rfc:unserialize_warn_on_trailing_data
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:unserialize_warn_on_trailing_data [2023/03/20 00:13] – timwolla | rfc:unserialize_warn_on_trailing_data [2023/05/01 17:08] (current) – Formatting timwolla | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Make unserialize() emit a warning for trailing bytes ====== | ====== PHP RFC: Make unserialize() emit a warning for trailing bytes ====== | ||
* Version: 1.0 | * Version: 1.0 | ||
- | * Date: 2022-10-31 | + | * Date: 2023-03-27 |
* Author: Tim Düsterhus, timwolla@php.net | * Author: Tim Düsterhus, timwolla@php.net | ||
- | * Status: | + | * Status: |
+ | * Target Version: PHP 8.3 | ||
+ | * Implementation: | ||
* First Published at: https:// | * First Published at: https:// | ||
Line 12: | Line 14: | ||
Once PHP’s unserialization parser finds the trailing delimiter of the serialized value (`'';'' | Once PHP’s unserialization parser finds the trailing delimiter of the serialized value (`'';'' | ||
- | As < | + | As < |
One such issue would be overwriting existing serialized data with a shorter serialization payload, but without properly truncating the existing data to the shorter length. The newly written payload will properly unserialize, | One such issue would be overwriting existing serialized data with a shorter serialization payload, but without properly truncating the existing data to the shorter length. The newly written payload will properly unserialize, | ||
Line 22: | Line 24: | ||
Silently accepting trailing bytes can also be confusing to the human reader, when needing to debug issues with serialized data. The human reader might wonder why some information that is part of the serialized payload does not appear within the unserialized return value. | Silently accepting trailing bytes can also be confusing to the human reader, when needing to debug issues with serialized data. The human reader might wonder why some information that is part of the serialized payload does not appear within the unserialized return value. | ||
- | Furthermore emitting a warning for trailing bytes makes it easier to extend the serialization format in the future when giving the trailing bytes a meaning. | + | Furthermore emitting a warning for trailing bytes makes it easier to extend the serialization format in the future when giving the trailing bytes a meaning. |
===== Proposal ===== | ===== Proposal ===== | ||
Line 100: | Line 102: | ||
===== Future Scope ===== | ===== Future Scope ===== | ||
- | * Make this an error. | + | * Make this an exception. |
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== | ||
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 115: | Line 117: | ||
===== Implementation ===== | ===== Implementation ===== | ||
- | n/a | + | * https:// |
===== References ===== | ===== References ===== | ||
Line 123: | Line 125: | ||
===== Rejected Features ===== | ===== Rejected Features ===== | ||
- | n/a | + | * Throw an Exception instead of emitting |
rfc/unserialize_warn_on_trailing_data.1679271219.txt.gz · Last modified: 2023/03/20 00:13 by timwolla