Re: [PHP-DEV] Unserializes, inheritance and allows_classes

On Fri, Jan 18, 2019 at 2:13 AM Marcos Passos wrote: > How would you fix this example, then? Perhaps we should add more examples >> in the docs. >> > > But it closes for extension preventing the serialization of instances not > whitelisted. It may work for @internal or package private classes, bu

Re: [PHP-DEV] Unserializes, inheritance and allows_classes

> > How would you fix this example, then? Perhaps we should add more examples > in the docs. > But it closes for extension preventing the serialization of instances not whitelisted. It may work for @internal or package private classes, but not for public classes. Em qui, 17 de jan de 2019 às 23:0

Re: [PHP-DEV] Unserializes, inheritance and allows_classes

On Fri, Jan 18, 2019 at 2:00 AM Marcos Passos wrote: > How would you fix this example, then? Perhaps we should add more examples > in the docs. > You'd include all expected child classes in the list of `allowed_classes`. As for the docs, feel free to go ahead and edit them directly :+1: Marco P

Re: [PHP-DEV] Unserializes, inheritance and allows_classes

How would you fix this example, then? Perhaps we should add more examples in the docs. Em qui, 17 de jan de 2019 às 22:53, Marco Pivetta escreveu: > On Fri, Jan 18, 2019 at 1:50 AM Marcos Passos > wrote: > >> Hi Marco, >> >> Also: nothing denies an attacker from defining a subtype to your class

Re: [PHP-DEV] Unserializes, inheritance and allows_classes

On Fri, Jan 18, 2019 at 1:50 AM Marcos Passos wrote: > Hi Marco, > > Also: nothing denies an attacker from defining a subtype to your class, >> then passing a malicious instance to your application. > > > Fact, but it also reveals a fragility in the solution in the sense that > one has to opt bet

Re: [PHP-DEV] Unserializes, inheritance and allows_classes

Hi Marco, Also: nothing denies an attacker from defining a subtype to your class, > then passing a malicious instance to your application. Fact, but it also reveals a fragility in the solution in the sense that one has to opt between flexible design or security. Em qui, 17 de jan de 2019 às 22:

Re: [PHP-DEV] Unserializes, inheritance and allows_classes

On Fri, Jan 18, 2019 at 12:49 AM Marcos Passos wrote: > Hi internals, > > Today I stumbled upon a limitation when implementing the unserialize method > of a serializable class which depends on an abstraction also serializable. > Currently, there is no way to unserialize an object specifying a par

[PHP-DEV] Unserializes, inheritance and allows_classes

Hi internals, Today I stumbled upon a limitation when implementing the unserialize method of a serializable class which depends on an abstraction also serializable. Currently, there is no way to unserialize an object specifying a parent class in the allowed_classes option: class SerializableBase

[PHP-DEV] [VOTE] RFC: Unbundle ext/wddx

Hi! Since there has been no more discussion, and the RFC has been announced months ago, I have put it to vote: Voting will end on 2019-01-31 (i.e. in two weeks). Thanks to everybody for their valuable feedback during the discussion phas

Re: [PHP-DEV] [RFC] Reflection for references

On Thu, Jan 17, 2019 at 6:48 AM Stanislav Malyshev wrote: > Hi! > > > I'd like to propose the addition of a ReflectionReference class, as > > described in the following RFC: > > https://wiki.php.net/rfc/reference_reflection > > Do I understand correctly that the main use case here is to know if t