. pg_send_query()
. pg_send_query_params()
+- unserialize:
+ Manipulated serialization strings for objects implementing Serializable by
+ replacing "C:" with "O:" at the start will now produce an error.
+
========================================
5. New Functions
========================================
g. Additional str_* APIs
h. Addition of zend_hash_reindex
i. Addition of zend_hash_splice
+ j. An additional parameter is sent to Countable::count()
+ k. Unserialization of manipulated object strings
2. Build system changes
a. Unix build system changes
fail. Extensions which implement Countable internally, need to accept one
optional long as parameter.
+ k. Unserialization of manipulated object strings
+
+ Strings requiring unserialization of objects are now explicitly checked
+ whether the object they contain implements the Serializable interface.
+ This solves the situation where manipulated strings could be passed for
+ objects using Serializable to disallow serialization. An object
+ implementing Serializable will always start with "C:" in the serialized
+ string, all other objects are represented with starting "O:". Objects
+ implementing Serializable to disable serialization using
+ zend_class_unserialize_deny and zend_class_serialize_deny, when
+ instantiated from the serializer with a manipulated "O:" string at the
+ start, will most likely be defectively initialized. This is now
+ fixed at the appropriate place by checking for the presence of the
+ serialize callback in the class entry.
+
========================
2. Build system changes
========================
projects / php / commitdiff