From 53c68811bae5f81047d101f9dc79532d89eed363 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Fri, 18 Apr 2014 15:43:05 +0200 Subject: [PATCH] UPGRADING note about bug #67072 --- UPGRADING | 3 +++ UPGRADING.INTERNALS | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/UPGRADING b/UPGRADING index b484f94b50d..74f59e61362 100755 --- a/UPGRADING +++ b/UPGRADING @@ -350,6 +350,9 @@ PHP 5.4 UPGRADE NOTES - Since 5.4.7, ctor is always called when new user stream wrapper object is created. Before, it was called only when stream_open was called. +- Manipulated serialization strings for objects implementing Serializable by + replacing "C:" with "O:" at the start will now produce an error. + ============================== 5. Changes to existing classes ============================== diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS index e9d0adf5541..8aa685fe443 100644 --- a/UPGRADING.INTERNALS +++ b/UPGRADING.INTERNALS @@ -12,6 +12,7 @@ UPGRADE NOTES - PHP X.Y g. leak_variable h. API Signature changes i. new TSRM function expand_filepath_with_mode + j. unserialization of manipulated object strings 2. Build system changes a. Unix build system changes @@ -189,6 +190,20 @@ it increments the refcounts of those objects instead. PHPAPI char *expand_filepath_with_mode(const char *filepath, char *real_path, const char *relative_to, size_t relative_to_len, int realpath_mode TSRMLS_DC); expand_filepath_with_mode lets define how realpath will behave, using one of the existing mode: CWD_EXPAND , CWD_FILEPATH or CWD_REALPATH. + j. + Strings requiring unserialization of objects are now explicitly checked + whether the object they contain implements the Serializable interface. + This solves the situation where manipulated strings could be passed for + objects using Serializable to disallow serialization. An object + implementing Serializable will always start with "C:" in the serialized + string, all other objects are represented with starting "O:". Objects + implementing Serializable to disable serialization using + zend_class_unserialize_deny and zend_class_serialize_deny, when + instantiated from the serializer with a manipulated "O:" string at the + start, will most likely be defectively initialized. This is now + fixed at the appropriate place by checking for the presence of the + serialize callback in the class entry. + ======================== 2. Build system changes ========================