unserialize: Deprecate the 'S' tag

TimWolla · TimWolla · commit fd1959c87918 · 2024-05-23T21:42:39.000+02:00
Support for this was added in 8f5310a for forward-compatibility with PHP 6. There should not be any data that is legitimately using this format and removing it simplifies the unserializer as a security-sensitive piece of code.
diff --git a/ext/standard/tests/serialize/unserialize_uppercase_s.phpt b/ext/standard/tests/serialize/unserialize_uppercase_s.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Test unserialize() with the 'S' format emits a deprecation.
+--FILE--
+<?php
+
+var_dump(unserialize('S:1:"e";'));
+var_dump(unserialize('S:1:"\65";'));
+
+?>
+--EXPECTF--
+Deprecated: unserialize(): Unserializing the 'S' format is deprecated in %s on line %d
+string(1) "e"
+
+Deprecated: unserialize(): Unserializing the 'S' format is deprecated in %s on line %d
+string(1) "e"
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -1085,6 +1085,9 @@ use_double:
 	*p = YYCURSOR;
 
 	ZVAL_STR(rval, str);
+
+	php_error_docref(NULL, E_DEPRECATED, "Unserializing the 'S' format is deprecated");
+
 	return 1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1085,6 +1085,9 @@ use_double:`
`1085`	`1085`	`*p = YYCURSOR;`
`1086`	`1086`
`1087`	`1087`	`ZVAL_STR(rval, str);`
	`1088`	`+`
	`1089`	`+ php_error_docref(NULL, E_DEPRECATED, "Unserializing the 'S' format is deprecated");`
	`1090`	`+`
`1088`	`1091`	`return 1;`
`1089`	`1092`	`}`
`1090`	`1093`