diff options
author | Tyson Andre <tysonandre775@hotmail.com> | 2020-07-07 18:47:52 -0400 |
---|---|---|
committer | Tyson Andre <tysonandre775@hotmail.com> | 2020-08-03 13:28:51 -0400 |
commit | 0c238ede019f6ffbe7c996ec1695a747f4bca966 (patch) | |
tree | e808fc0f2b31d73f42d80f51087d611c98673142 /UPGRADING | |
parent | f9f769d4b9af367af864d35cf09dca5b08da2046 (diff) | |
download | php-git-0c238ede019f6ffbe7c996ec1695a747f4bca966.tar.gz |
[RFC] Only unserialize Phar metadata when getMetadata() is called
In other words, don't automatically unserialize when the magic
phar:// stream wrappers are used.
RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata
Also, change the signature from `getMetadata()`
to `getMetadata(array $unserialize_options = [])`.
Start throwing earlier if setMetadata() is called and serialization threw.
See https://externals.io/message/110856 and
https://bugs.php.net/bug.php?id=76774
This was refactored to add a phar_metadata_tracker for the following reasons:
- The way to properly copy a zval was previously implicit and undocumented
(e.g. is it a pointer to a raw string or an actual value)
- Avoid unnecessary serialization and unserialization in the most common case
- If a metadata value is serialized once while saving a new/modified phar file,
this allows reusing the same serialized string.
- Have as few ways to copy/clone/lazily parse metadata (etc.) as possible,
so that code changes can be limited to only a few places in the future.
- Performance is hopefully not a concern - copying a string should be faster
than unserializing a value, and metadata should be rare in most cases.
Remove unnecessary skip in a test(Compression's unused)
Add additional assertions about usage of persistent phars
Improve robustness of `Phar*->setMetadata()`
- Add sanity checks for edge cases freeing metadata, when destructors
or serializers modify the phar recursively.
- Typical use cases of php have phar.readonly=1 and would not be affected.
Closes GH-5855
Diffstat (limited to 'UPGRADING')
-rw-r--r-- | UPGRADING | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -425,6 +425,11 @@ PHP 8.0 UPGRADE NOTES - PDO_ODBC: . The php.ini directive pdo_odbc.db2_instance_name has been removed +- Phar: + . Metadata associated with a phar will no longer be automatically unserialized, + to fix potential security vulnerabilities due to object instantiation, autoloading, etc. + RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata + - Reflection: . The method signatures |