UPGRADING note about bug #67072

2 files changed, 19 insertions, 0 deletions

diff --git a/UPGRADING b/UPGRADING
index 37fa0e3fb3..510abcc7b6 100755
--- a/UPGRADING
+++ b/UPGRADING
@@ -193,6 +193,9 @@ PHP 5.5 UPGRADE NOTES
 - Since 5.5.4, fputcsv() has fifth parameter escape_char, allowing to
   specify escape char.
 
+- Manipulated serialization strings for objects implementing Serializable by
+  replacing "C:" with "O:" at the start will now produce an error.
+
 ========================================
 5. New Functions
 ========================================
diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS
index bdc2a43ab9..60854751d4 100644
--- a/UPGRADING.INTERNALS
+++ b/UPGRADING.INTERNALS
@@ -8,6 +8,7 @@ UPGRADE NOTES - PHP X.Y
   c. Lowercasing and locales
   d. zend_qsort_r
   e. get_current_key
+  f. unserialization of manipulated object strings
 
 2. Build system changes
   a. Unix build system changes
@@ -108,6 +109,21 @@ void (*get_current_key)(zend_object_iterator *iter, zval *key TSRMLS_DC);
 
 The key should be written into the zval* using the ZVAL_* macros.
 
+	f. unserialization of manipulated object strings
+
+Strings requiring unserialization of objects are now explicitly checked
+whether the object they contain implements the Serializable interface.
+This solves the situation where manipulated strings could be passed for
+objects using Serializable to disallow serialization. An object
+implementing Serializable will always start with "C:" in the serialized
+string, all other objects are represented with starting "O:". Objects
+implementing Serializable to disable serialization using
+zend_class_unserialize_deny and zend_class_serialize_deny, when
+instantiated from the serializer with a manipulated "O:" string at the
+start, will most likely be defectively initialized. This is now
+fixed at the appropriate place by checking for the presence of the
+serialize callback in the class entry.
+
 ========================
 2. Build system changes
 ========================