> Am 26.02.2022 um 12:49 schrieb Dan Ackroyd :
>
> On Thu, 24 Feb 2022 at 14:11, Tim Düsterhus, WoltLab GmbH
> wrote:
>>
>> I see two possible options to remediate this issue:
>>
>> ---
>>
>> 1. Disallow both serialization and unserialization.
>>
>> This will make the serialization
Hi Internals!
On 2/24/22 15:11, Tim Düsterhus, WoltLab GmbH wrote:
Please find the thread in the GitHub PR at:
https://github.com/php/php-src/pull/7921#discussion_r813743903
[…]
1. Disallow both serialization and unserialization.
This will make the serialization issue very obvious, but will
Hi again,
FWIW, Dan's and Claude's explanations (thanks!) and arguments made me
change my preference to option 1 (i.e. make SensitiveParameterValue not
serializable, period).
Best regards,
--
Guilliam Xavier
>
> 1. Disallow both serialization and unserialization.
>
> This will make the serialization issue very obvious, but will require
> adjustments to exception handlers that serialize the stack traces.
Hi,
Note that exception handlers that serialise stack traces without taking into
account
On Thu, 24 Feb 2022 at 14:11, Tim Düsterhus, WoltLab GmbH
wrote:
>
> I see two possible options to remediate this issue:
>
> ---
>
> 1. Disallow both serialization and unserialization.
>
> This will make the serialization issue very obvious, but will require
> adjustments to exception
Hi Guilliam,
On 2/25/22 13:11, Guilliam Xavier wrote:
I would prefer option 2 (if possible), to avoid potentially breaking
existing code.
Sure, that's possible. Otherwise I wouldn't have proposed it :-)
The solution for this is simply an additional private property
$isPoisoned that is set
On Thu, Feb 24, 2022 at 3:11 PM Tim Düsterhus, WoltLab GmbH <
duester...@woltlab.com> wrote:
> Hi Internals!
>
> during code review of the "Redacting parameters in back traces" RFC [1]
> an issue with the proposed serialization behavior of
> SensitiveParameterValue objects became apparent that
Hi Internals!
during code review of the "Redacting parameters in back traces" RFC [1]
an issue with the proposed serialization behavior of
SensitiveParameterValue objects became apparent that was not noticed
before the RFC went into voting:
The RFC proposed that serialization was allowed,
