UPGRADING note about bug #67072

1 files changed, 17 insertions, 0 deletions

diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS
index 1bc359bfd0..adad50fb91 100644
--- a/UPGRADING.INTERNALS
+++ b/UPGRADING.INTERNALS
@@ -12,6 +12,8 @@ UPGRADE NOTES - PHP X.Y
   g. Additional str_* APIs
   h. Addition of zend_hash_reindex
   i. Addition of zend_hash_splice
+  j. An additional parameter is sent to Countable::count()
+  k. Unserialization of manipulated object strings
 
 2. Build system changes
   a. Unix build system changes
@@ -189,6 +191,21 @@ UPGRADE NOTES - PHP X.Y
   fail. Extensions which implement Countable internally, need to accept one
   optional long as parameter.
 
+  k. Unserialization of manipulated object strings
+
+  Strings requiring unserialization of objects are now explicitly checked
+  whether the object they contain implements the Serializable interface.
+  This solves the situation where manipulated strings could be passed for
+  objects using Serializable to disallow serialization. An object
+  implementing Serializable will always start with "C:" in the serialized
+  string, all other objects are represented with starting "O:". Objects
+  implementing Serializable to disable serialization using
+  zend_class_unserialize_deny and zend_class_serialize_deny, when
+  instantiated from the serializer with a manipulated "O:" string at the
+  start, will most likely be defectively initialized. This is now
+  fixed at the appropriate place by checking for the presence of the
+  serialize callback in the class entry.
+
 ========================
 2. Build system changes
 ========================