unserialize: Deprecate the 'S' tag

TimWolla · TimWolla · commit 9acd6fe0d24f · 2023-09-27T20:00:42.000+02:00
Support for this was added in 8f5310a for forward-compatibility with PHP 6. There should not be any data that is legitimately using this format and removing it simplifies the unserializer as a security-sensitive piece of code.
diff --git a/ext/standard/tests/serialize/unserialize_uppercase_s.phpt b/ext/standard/tests/serialize/unserialize_uppercase_s.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Test unserialize() with the 'S' format emits a deprecation.
+--FILE--
+<?php
+
+var_dump(unserialize('S:1:"e";'));
+var_dump(unserialize('S:1:"\65";'));
+
+?>
+--EXPECTF--
+Deprecated: unserialize(): Unserializing the 'S' format is deprecated in %s on line %d
+string(1) "e"
+
+Deprecated: unserialize(): Unserializing the 'S' format is deprecated in %s on line %d
+string(1) "e"
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -1090,6 +1090,9 @@ use_double:
 	*p = YYCURSOR;
 
 	ZVAL_STR(rval, str);
+
+	php_error_docref(NULL, E_DEPRECATED, "Unserializing the 'S' format is deprecated");
+
 	return 1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1090,6 +1090,9 @@ use_double:`
`1090`	`1090`	`*p = YYCURSOR;`
`1091`	`1091`
`1092`	`1092`	`ZVAL_STR(rval, str);`
	`1093`	`+`
	`1094`	`+ php_error_docref(NULL, E_DEPRECATED, "Unserializing the 'S' format is deprecated");`
	`1095`	`+`
`1093`	`1096`	`return 1;`
`1094`	`1097`	`}`
`1095`	`1098`