Details
-
Task
-
Status: Backlog
-
Major - P3
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Disabled __wakeup methods were originally introduced in PHPC-190. This was primarily needed for PHP 5.x. In PHP 7.0+, it's sufficient to disable the serialization object handlers (as is done in PHONGO_CE_DISABLE_SERIALIZATION). In PHP 8.1+, we need only add a flag on the class entry (PHPC-1922).
After removing Manager::__wakeup and its references in other non-serializable classes, we can test that serialization is still prohibited via a test like the following:
--TEST--
|
MongoDB\Driver\Manager does not support serialization
|
--FILE--
|
<?php
|
|
|
require_once __DIR__ . '/../utils/basic.inc';
|
|
|
echo throws(function() {
|
serialize(create_test_manager());
|
}, Exception::class), "\n";
|
|
|
echo throws(function() {
|
unserialize('C:22:"MongoDB\Driver\Manager":0:{}');
|
}, Exception::class), "\n";
|
|
|
echo raises(function() {
|
unserialize('O:22:"MongoDB\Driver\Manager":0:{}');
|
}, E_WARNING), "\n";
|
|
|
?>
|
===DONE===
|
<?php exit(0); ?>
|
--EXPECTF--
|
OK: Got Exception
|
Serialization of 'MongoDB\Driver\Manager' is not allowed
|
OK: Got Exception
|
Unserialization of 'MongoDB\Driver\Manager' is not allowed
|
OK: Got E_WARNING
|
Erroneous data format for unserializing 'MongoDB\Driver\Manager'
|
===DONE===
|
Note that we'll need to test both C and O formats. O was previously used by __wakeup but is now used by the new __unserialize method in PHP 7.4+ (see: PHPC-1849).
The test above may also need some adjustment for PHP 8.1, as the error for unserializing O notation likely differs from earlier PHP versions.
