diff options
author | Anatol Belski <ab@php.net> | 2014-04-18 15:43:05 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2014-04-18 15:43:05 +0200 |
commit | 53c68811bae5f81047d101f9dc79532d89eed363 (patch) | |
tree | d26e4894d3a8d55b0a0e92df3b201eaa621d8923 | |
parent | c2acdbdd3deb6787329bf0aca8ab0c04ace2a50c (diff) | |
download | php-git-53c68811bae5f81047d101f9dc79532d89eed363.tar.gz |
UPGRADING note about bug #67072
-rwxr-xr-x | UPGRADING | 3 | ||||
-rw-r--r-- | UPGRADING.INTERNALS | 15 |
2 files changed, 18 insertions, 0 deletions
@@ -350,6 +350,9 @@ PHP 5.4 UPGRADE NOTES - Since 5.4.7, ctor is always called when new user stream wrapper object is created. Before, it was called only when stream_open was called. +- Manipulated serialization strings for objects implementing Serializable by + replacing "C:" with "O:" at the start will now produce an error. + ============================== 5. Changes to existing classes ============================== diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS index e9d0adf554..8aa685fe44 100644 --- a/UPGRADING.INTERNALS +++ b/UPGRADING.INTERNALS @@ -12,6 +12,7 @@ UPGRADE NOTES - PHP X.Y g. leak_variable h. API Signature changes i. new TSRM function expand_filepath_with_mode + j. unserialization of manipulated object strings 2. Build system changes a. Unix build system changes @@ -189,6 +190,20 @@ it increments the refcounts of those objects instead. PHPAPI char *expand_filepath_with_mode(const char *filepath, char *real_path, const char *relative_to, size_t relative_to_len, int realpath_mode TSRMLS_DC); expand_filepath_with_mode lets define how realpath will behave, using one of the existing mode: CWD_EXPAND , CWD_FILEPATH or CWD_REALPATH. + j. + Strings requiring unserialization of objects are now explicitly checked + whether the object they contain implements the Serializable interface. + This solves the situation where manipulated strings could be passed for + objects using Serializable to disallow serialization. An object + implementing Serializable will always start with "C:" in the serialized + string, all other objects are represented with starting "O:". Objects + implementing Serializable to disable serialization using + zend_class_unserialize_deny and zend_class_serialize_deny, when + instantiated from the serializer with a manipulated "O:" string at the + start, will most likely be defectively initialized. This is now + fixed at the appropriate place by checking for the presence of the + serialize callback in the class entry. + ======================== 2. Build system changes ======================== |