Browse files

UPGRADING note about bug #67072

  • Loading branch information...
1 parent fae4f64 commit 3586d14b61fbf3932650899d99a09e25784cf587 @weltling weltling committed Apr 18, 2014
Showing with 19 additions and 0 deletions.
  1. +3 −0 UPGRADING
@@ -193,6 +193,9 @@ PHP 5.5 UPGRADE NOTES
- Since 5.5.4, fputcsv() has fifth parameter escape_char, allowing to
specify escape char.
+- Manipulated serialization strings for objects implementing Serializable by
+ replacing "C:" with "O:" at the start will now produce an error.
5. New Functions
@@ -8,6 +8,7 @@ UPGRADE NOTES - PHP X.Y
c. Lowercasing and locales
d. zend_qsort_r
e. get_current_key
+ f. unserialization of manipulated object strings
2. Build system changes
a. Unix build system changes
@@ -108,6 +109,21 @@ void (*get_current_key)(zend_object_iterator *iter, zval *key TSRMLS_DC);
The key should be written into the zval* using the ZVAL_* macros.
+ f. unserialization of manipulated object strings
+Strings requiring unserialization of objects are now explicitly checked
+whether the object they contain implements the Serializable interface.
+This solves the situation where manipulated strings could be passed for
+objects using Serializable to disallow serialization. An object
+implementing Serializable will always start with "C:" in the serialized
+string, all other objects are represented with starting "O:". Objects
+implementing Serializable to disable serialization using
+zend_class_unserialize_deny and zend_class_serialize_deny, when
+instantiated from the serializer with a manipulated "O:" string at the
+start, will most likely be defectively initialized. This is now
+fixed at the appropriate place by checking for the presence of the
+serialize callback in the class entry.
2. Build system changes

0 comments on commit 3586d14

Please sign in to comment.