rfc:phar_stop_autoloading_metadata

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:phar_stop_autoloading_metadata [2020/07/21 13:27] – Start voting tandrerfc:phar_stop_autoloading_metadata [2020/08/04 13:43] (current) – close the vote tandre
Line 1: Line 1:
 ====== PHP RFC: Don't automatically unserialize Phar metadata outside getMetadata() ====== ====== PHP RFC: Don't automatically unserialize Phar metadata outside getMetadata() ======
-  * Version: 0.3+  * Version: 0.4
   * Date: 2020-07-07   * Date: 2020-07-07
   * Author: Tyson Andre <tandre@php.net>   * Author: Tyson Andre <tandre@php.net>
-  * Status: Voting+  * Status: Implemented
   * First Published at: https://wiki.php.net/rfc/phar_stop_autoloading_metadata   * First Published at: https://wiki.php.net/rfc/phar_stop_autoloading_metadata
   * Implementation: https://github.com/php/php-src/pull/5855   * Implementation: https://github.com/php/php-src/pull/5855
Line 18: Line 18:
 Don't unserialize the metadata automatically when a phar file is opened by php. Make PHP unserialize the metadata **only** if ''%%Phar->getMetadata()%%'' or ''%%PharFile->getMetadata()%%'' is called directly. Don't unserialize the metadata automatically when a phar file is opened by php. Make PHP unserialize the metadata **only** if ''%%Phar->getMetadata()%%'' or ''%%PharFile->getMetadata()%%'' is called directly.
  
-Additionally, add an ''$allowed_classes'' parameter to both getMetadata() implementations, defaulting to the current behavior of allowing any classes (true)This will be passed to the call to ''unserialize()'' performed internally.+Additionally, add an ''array $unserialize_options = []'' parameter to both getMetadata() implementations, defaulting to the current default ''unserialize()'' behavior such as allowing any classes. (As an implementation detail, if ''$unserialize_options'' is set to anything other than the default, the resulting metadata won't be cached and this won't return the value from the cache. E.g. ''%%getMetaData(['allowed_classes' => []])%%'' after ''setMetadata(new stdClass())'' will likely trigger a ''%%unserialize(['allowed_classes' => []])%%'' call internally.)
  
 This implements one possible solution for https://bugs.php.net/bug.php?id=76774 This implements one possible solution for https://bugs.php.net/bug.php?id=76774
Line 39: Line 39:
  
 Yes/No, requiring 2/3 majority to stop automatically unserializing metadata. Yes/No, requiring 2/3 majority to stop automatically unserializing metadata.
 +Voting started on 2020-07-21 and ended 2020-08-04.
  
-<doodle title="Stop automatically unserializing Phar metadata outside direct getMetadata() calls" auth="tandre" voteType="single" closed="false">+<doodle title="Stop automatically unserializing Phar metadata outside direct getMetadata() calls" auth="tandre" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
Line 60: Line 61:
  
 ===== Changelog ===== ===== Changelog =====
 +
 +0.4: Change from ''getMetadata($allowed_classes = ...)'' to ''getMetadata(array $unserialize_options = [])'' in this document. I forgot about max_depth being added in php 8.0 and the usefulness of being able to support future options added to unserialize() without changing the signature of getMetadata. Elaborate on implementation details ''$unserialize_options'' would lead to when setMetaData is called before ''%%$pharFileOrEntry->getMetadata(['allowed_classes' => $classes])%%''
  
 0.3: Clarify wording, add link to RFC announcement thread. Remove inapplicable ini defaults section. 0.3: Clarify wording, add link to RFC announcement thread. Remove inapplicable ini defaults section.
  
 0.2: Link to implementation. 0.2: Link to implementation.
rfc/phar_stop_autoloading_metadata.1595338073.txt.gz · Last modified: 2020/07/21 13:27 by tandre

Page Tools