Remove the "o" serialization format

We never generate the "o" format during serialization, so let's not
keep this unnecessary attack surface around.

diff --git a/UPGRADING b/UPGRADING
index 768298159d0d5dfd099275eb9b8ef806f46ecd81..4e8507b641ff88039985153f5f5bfa0c75501734 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -75,6 +75,10 @@ PHP 7.4 UPGRADE NOTES
     passed. Previously this would generate a recoverable fatal error on the
     next extraction operation.
 
+- Standard:
+  . The "o" serialization format has been removed. As it is never produced by
+    PHP, this may only break unserialization of manually crafted strings.
+
 ========================================
 2. New Features
 ========================================

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 8dad71450e94df2457e4e0c421994178578fb13f..5193a0ab4105e009c01a33126312d0e09cda66d3 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -948,17 +948,6 @@ use_double:
        return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
 
-"o:" uiv ":" ["] {
-       zend_long elements;
-    if (!var_hash) return 0;
-
-       elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
-       if (elements < 0 || elements >= HT_MAX_SIZE) {
-               return 0;
-       }
-       return object_common2(UNSERIALIZE_PASSTHRU, elements);
-}
-
 object ":" uiv ":" ["] {
        size_t len, len2, len3, maxlen;
        zend_long elements;