summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnatol Belski <ab@php.net>2014-04-18 15:43:05 +0200
committerAnatol Belski <ab@php.net>2014-04-18 15:43:05 +0200
commit53c68811bae5f81047d101f9dc79532d89eed363 (patch)
treed26e4894d3a8d55b0a0e92df3b201eaa621d8923
parentc2acdbdd3deb6787329bf0aca8ab0c04ace2a50c (diff)
downloadphp-git-53c68811bae5f81047d101f9dc79532d89eed363.tar.gz
UPGRADING note about bug #67072
-rwxr-xr-xUPGRADING3
-rw-r--r--UPGRADING.INTERNALS15
2 files changed, 18 insertions, 0 deletions
diff --git a/UPGRADING b/UPGRADING
index b484f94b50..74f59e6136 100755
--- a/UPGRADING
+++ b/UPGRADING
@@ -350,6 +350,9 @@ PHP 5.4 UPGRADE NOTES
- Since 5.4.7, ctor is always called when new user stream wrapper object is created.
Before, it was called only when stream_open was called.
+- Manipulated serialization strings for objects implementing Serializable by
+ replacing "C:" with "O:" at the start will now produce an error.
+
==============================
5. Changes to existing classes
==============================
diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS
index e9d0adf554..8aa685fe44 100644
--- a/UPGRADING.INTERNALS
+++ b/UPGRADING.INTERNALS
@@ -12,6 +12,7 @@ UPGRADE NOTES - PHP X.Y
g. leak_variable
h. API Signature changes
i. new TSRM function expand_filepath_with_mode
+ j. unserialization of manipulated object strings
2. Build system changes
a. Unix build system changes
@@ -189,6 +190,20 @@ it increments the refcounts of those objects instead.
PHPAPI char *expand_filepath_with_mode(const char *filepath, char *real_path, const char *relative_to, size_t relative_to_len, int realpath_mode TSRMLS_DC);
expand_filepath_with_mode lets define how realpath will behave, using one of the existing mode: CWD_EXPAND , CWD_FILEPATH or CWD_REALPATH.
+ j.
+ Strings requiring unserialization of objects are now explicitly checked
+ whether the object they contain implements the Serializable interface.
+ This solves the situation where manipulated strings could be passed for
+ objects using Serializable to disallow serialization. An object
+ implementing Serializable will always start with "C:" in the serialized
+ string, all other objects are represented with starting "O:". Objects
+ implementing Serializable to disable serialization using
+ zend_class_unserialize_deny and zend_class_serialize_deny, when
+ instantiated from the serializer with a manipulated "O:" string at the
+ start, will most likely be defectively initialized. This is now
+ fixed at the appropriate place by checking for the presence of the
+ serialize callback in the class entry.
+
========================
2. Build system changes
========================