diff options
| -rwxr-xr-x | UPGRADING | 3 | ||||
| -rw-r--r-- | UPGRADING.INTERNALS | 16 |
2 files changed, 19 insertions, 0 deletions
@@ -193,6 +193,9 @@ PHP 5.5 UPGRADE NOTES - Since 5.5.4, fputcsv() has fifth parameter escape_char, allowing to specify escape char. +- Manipulated serialization strings for objects implementing Serializable by + replacing "C:" with "O:" at the start will now produce an error. + ======================================== 5. New Functions ======================================== diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS index bdc2a43ab9..60854751d4 100644 --- a/UPGRADING.INTERNALS +++ b/UPGRADING.INTERNALS @@ -8,6 +8,7 @@ UPGRADE NOTES - PHP X.Y c. Lowercasing and locales d. zend_qsort_r e. get_current_key + f. unserialization of manipulated object strings 2. Build system changes a. Unix build system changes @@ -108,6 +109,21 @@ void (*get_current_key)(zend_object_iterator *iter, zval *key TSRMLS_DC); The key should be written into the zval* using the ZVAL_* macros. + f. unserialization of manipulated object strings + +Strings requiring unserialization of objects are now explicitly checked +whether the object they contain implements the Serializable interface. +This solves the situation where manipulated strings could be passed for +objects using Serializable to disallow serialization. An object +implementing Serializable will always start with "C:" in the serialized +string, all other objects are represented with starting "O:". Objects +implementing Serializable to disable serialization using +zend_class_unserialize_deny and zend_class_serialize_deny, when +instantiated from the serializer with a manipulated "O:" string at the +start, will most likely be defectively initialized. This is now +fixed at the appropriate place by checking for the presence of the +serialize callback in the class entry. + ======================== 2. Build system changes ======================== |