rfc:not_serializable

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:not_serializable [2023/12/09 11:54] maxsemrfc:not_serializable [2023/12/10 12:31] (current) maxsem
Line 1: Line 1:
 ====== PHP RFC: #[NotSerializable] ====== ====== PHP RFC: #[NotSerializable] ======
   * Version: 1.0   * Version: 1.0
-  * Date: 20123-11-26+  * Date: 2023-11-26
   * Author: Max Semenik, maxsem.wiki@gmail.com   * Author: Max Semenik, maxsem.wiki@gmail.com
-  * Status: Draft+  * Status: Under discussion
   * First Published at: http://wiki.php.net/rfc/not_serializable   * First Published at: http://wiki.php.net/rfc/not_serializable
  
Line 26: Line 26:
 </code> </code>
  
-Not only is this method bulky, it's also less readable. It also lacks a way for various code analysers to detect attempts to serialize such classes. If course, linters may introduce their own attributes/annotations to catch such mistakes; however various linters +Not only is this method bulky, it's also less readable. It also lacks a way to indicate the intention to various code analysers so that they could detect attempts to serialize such classes.
  
 ===== Analysis ===== ===== Analysis =====
Line 37: Line 37:
   * Wrappers for all the above. Imagine a PDO wrapper that creates connections on demand. If the connection hasn't been established yet, its serialization will succeed, which results in unpredictable behavior.   * Wrappers for all the above. Imagine a PDO wrapper that creates connections on demand. If the connection hasn't been established yet, its serialization will succeed, which results in unpredictable behavior.
   * Secret information that shouldn't be accidentally exfiltrated by being serialized.   * Secret information that shouldn't be accidentally exfiltrated by being serialized.
-  * Security-sensitive classes that are unsafe to unserialize with arbitrary data.+  * Security-sensitive classes that are unsafe to unserialize with arbitrary data ([[https://github.com/wikimedia/mediawiki-libs-ScopedCallback/blob/master/src/ScopedCallback.php|example in the wild]]).
  
 ===== Proposal ===== ===== Proposal =====
Line 51: Line 51:
 </code> </code>
  
-This change requires no changes to the engine whatsoever, all functionality is already present - it merely gets exposed to userspace.+The non-serializable flag is inherited by descendants: 
 + 
 +<code php> 
 +class MyOtherClass extends MyClass 
 +
 +
 + 
 +serialize(new MyOtherClass()); // Exception: Serialization of 'MyOtherClass' is not allowed 
 +</code> 
 + 
 +The above requires no changes to the engine whatsoever, all functionality is already present - it merely gets exposed to userspace. 
 + 
 +This feature will be exposed to reflection by the following additions to ReflectionClass: 
 + 
 +<code php> 
 +public const int IS_NOT_SERIALIZABLE = ZEND_ACC_NOT_SERIALIZABLE; 
 + 
 +public function isSerializable(): bool {} 
 +</code>
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
rfc/not_serializable.1702122871.txt.gz · Last modified: 2023/12/09 11:54 by maxsem

Page Tools