Permalink
Browse files

UPGRADING note about bug #67072

  • Loading branch information...
weltling committed Apr 18, 2014
1 parent fae4f64 commit 3586d14b61fbf3932650899d99a09e25784cf587
Showing with 19 additions and 0 deletions.
  1. +3 −0 UPGRADING
  2. +16 −0 UPGRADING.INTERNALS
@@ -193,6 +193,9 @@ PHP 5.5 UPGRADE NOTES
- Since 5.5.4, fputcsv() has fifth parameter escape_char, allowing to
specify escape char.

- Manipulated serialization strings for objects implementing Serializable by
replacing "C:" with "O:" at the start will now produce an error.

========================================
5. New Functions
========================================
@@ -8,6 +8,7 @@ UPGRADE NOTES - PHP X.Y
c. Lowercasing and locales
d. zend_qsort_r
e. get_current_key
f. unserialization of manipulated object strings

2. Build system changes
a. Unix build system changes
@@ -108,6 +109,21 @@ void (*get_current_key)(zend_object_iterator *iter, zval *key TSRMLS_DC);

The key should be written into the zval* using the ZVAL_* macros.

f. unserialization of manipulated object strings

Strings requiring unserialization of objects are now explicitly checked
whether the object they contain implements the Serializable interface.
This solves the situation where manipulated strings could be passed for
objects using Serializable to disallow serialization. An object
implementing Serializable will always start with "C:" in the serialized
string, all other objects are represented with starting "O:". Objects
implementing Serializable to disable serialization using
zend_class_unserialize_deny and zend_class_serialize_deny, when
instantiated from the serializer with a manipulated "O:" string at the
start, will most likely be defectively initialized. This is now
fixed at the appropriate place by checking for the presence of the
serialize callback in the class entry.

========================
2. Build system changes
========================

0 comments on commit 3586d14

Please sign in to comment.