From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 22 Jan 2019 17:07:46 +0000 (+0100)
Subject: Remove the "o" serialization format
X-Git-Tag: php-7.4.0alpha1~1172
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=89a4c172e24d7eb2be7f272a6075634a14f1d791;p=php

Remove the "o" serialization format

We never generate the "o" format during serialization, so let's not
keep this unnecessary attack surface around.
---

diff --git a/UPGRADING b/UPGRADING
index 768298159d..4e8507b641 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -75,6 +75,10 @@ PHP 7.4 UPGRADE NOTES
     passed. Previously this would generate a recoverable fatal error on the
     next extraction operation.
 
+- Standard:
+  . The "o" serialization format has been removed. As it is never produced by
+    PHP, this may only break unserialization of manually crafted strings.
+
 ========================================
 2. New Features
 ========================================
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 8dad71450e..5193a0ab41 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -948,17 +948,6 @@ use_double:
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
 
-"o:" uiv ":" ["] {
-	zend_long elements;
-    if (!var_hash) return 0;
-
-	elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
-	if (elements < 0 || elements >= HT_MAX_SIZE) {
-		return 0;
-	}
-	return object_common2(UNSERIALIZE_PASSTHRU, elements);
-}
-
 object ":" uiv ":" ["]	{
 	size_t len, len2, len3, maxlen;
 	zend_long elements;