On Friday, 14 June, 2024 г. at 00:04, Timo Tijhof <ttij...@wikimedia.org> wrote:
> Would this affect unserialize()? > > I ask because MediaWiki's main "text" database table is an > immutable/append-only store where we store the text of each page revision > since ~2004. It is stored as serialised blobs of a value class. There have > been a number of different implementations over the past twenty years of > Wikipedia's existence (plain text, gzip-compressed, diff-compressed, etc.). > > When we adopted modern autoloading in MediaWiki, we quickly found that > blobs originally serialized by PHP 4 actually encoded the class in > lowercase, regardless of the casing in source code. > > From https://3v4l.org/jl0et: > >> class ConcatenatedGzipHistoryBlob {…} >> print serialize($blob); >> # PHP 4.x: O:27:"concatenatedgziphistoryblob":… >> # PHP 5/7/8: O:27:"ConcatenatedGzipHistoryBlob":… > > > It is of course the application's responsibility to load these classes, > but, it is arguably PHP's responsiblity to be able to construct what it > serialized. I suppose anything is possible when announced as a breaking > change for PHP 9.0. I wanted to share this as something to take into > consideration as part of the impact. Potentially worthy of additional > communicating, or perhaps worth supporting separately. > > -- > Timo Tijhof, > Principal Engineer, > Wikimedia Foundation. > https://timotijhof.net/ > > Hi, Timo! Thank you very much for bringing up this important case. Here's how I see this. If PHP gets class case-sensitivity, unserialization of classes with lowercase names will fail. This is because the engine will start putting `MyClass` class entry with key `MyClass` (not `myclass`) into the loaded classes table and serialization will not be able to find it as `myclass`. Even if some deprecation layer is introduced (that puts both `myclass` and `MyClass` keys into the table), you will first have a ton of notices and then eventually end up with the same problem, when transition to case sensitivity is complete. Hence I propose no deprecation layer — it does not really help. However, you will be able to use `class_alias()` to solve your issue. If classes are case-sensitive, `class_alias(MyClass::class, 'myclass');` should work, since MyClass != myclass anymore. And serialization works perfectly with class aliases, see https://3v4l.org/1n1as . -- Valentin Udaltsov
