Bug #64206 [Ver->Wfx]: Serialized object becomes r:2, which breaks unserialization

Mon, 19 Aug 2013 13:50:06 -0700 

Edit report at https://bugs.php.net/bug.php?id=64206&edit=1

 ID:                 64206
 Updated by:         m...@php.net
 Reported by:        cameron dot junge at sella dot co dot nz
 Summary:            Serialized object becomes r:2, which breaks
                     unserialization
-Status:             Verified
+Status:             Wont fix
 Type:               Bug
 Package:            Scripting Engine problem
 Operating System:   Ubuntu 12.10
 PHP Version:        5.4.11
 Assigned To:        mike
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2013-02-20 22:02:47] cameron dot junge at sella dot co dot nz

If unserialize is blocked inside serialize, then either the inherited class(es) 
need to know all the required properties from the parent class(es), which might 
cause a bit of a maintenance headache (one field changed in a base class means 
all inherited classes need to be updated).

A "solution" would be to use get_object_vars() in the base class and filter the 
properties returned, but that seems to me like a bit of a kludge. Would mean 
only serializing once, without the unserialize.

The use-case I've got is to prevent serializing a PDO connection inside classes 
that need to be persisted to memcache.

------------------------------------------------------------------------
[2013-02-20 15:03:59] larue...@php.net

oh, then I understand wrongly about your "deny" word, hehe

------------------------------------------------------------------------
[2013-02-20 14:56:08] m...@php.net

What dynamic check? 

I guess a differentiated BG(serialize_lock)/BG(unserialize_lock) should do it.

------------------------------------------------------------------------
[2013-02-20 14:47:32] larue...@php.net

I think deny unserialize in serialize is not a choice. it need a dynamic check 
and 
make no sense.

reseting one need to be test with...

------------------------------------------------------------------------
[2013-02-20 10:42:39] m...@php.net

As the var_hash is kept between recursive serialize() calls, the serializer 
thinks the object is already serialized, but in fact, your hacky code replaces 
the previously serialized object.

I see two options:

- deny unserialize() in serialize()
- reset the serialize var_hash on unserialize() (which may break other things)

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=64206


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64206&edit=1

Reply via email to