php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79759 Cannot unserialize payloads from PHP 7.4 on 7.3 if __serialize() is used
Submitted: 2020-06-29 20:02 UTC Modified: 2020-06-29 20:27 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: upyx dot 00 at gmail dot com Assigned:
Status: Open Package: *General Issues
PHP Version: 7.4.7 OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-06-29 20:02 UTC] upyx dot 00 at gmail dot com
Description:
------------
Hello!

In PHP 7.4 serialization mechanism has been changed in a backward-incompatible way. So it is (sometimes) not possible to serialize data in PHP 7.4 and deserialize them in PHP 7.3. The serialization is widely used to storing data in sessions, transfer data through message brokers, etc.

Our site works on many servers, and the business has got to work 24/7. So we cannot upgrade all nodes at once. When we upgrade some node to PHP 7.4, it becomes to produce serialized data to a network that unsupported by other nodes. So we cannot update the nodes one by one. We've stuck here.

I've asked the community how they upgraded, and a lot of them answered some like "through pain and disgrace" because they didn't expect the problem and had to solve it when they ran into it. After some investigation, we realize that the problem, not PHP itself but in the many open source libraries which declare support of PHP prior to 7.4 but use new "__serialize()/__unserialize()"  methods.

However, there is a problem, and we need a way to solve it. It is hardly possible to downgrade libraries because of the complicated dependency graph between them. It is barely possible to convince libraries' authors to make necessary changes because of the number of them. I propose two variants:
a) backport "new" deserialization (but not serialization) to the next PHP 7.3 minor version;
b) add an option to force "legacy" serialization to the next PHP 7.4 minor release.

The first variant is the easiest to use. The second variant is the easiest to implement.

By the way, we solved *our* problem with migration. It took a while, so I want to help others.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-29 20:27 UTC] nikic@php.net
-Summary: Impossible to use PHP 7.3 and 7.4 together and smoothly migrate between them +Summary: Cannot unserialize payloads from PHP 7.4 on 7.3 if __serialize() is used
 [2020-07-26 14:36 UTC] fortemppp at gmail dot com
unserialize is not working properly in 7.3 and 7.4 but the same code works in 7.2 or earlier versions. I found a solution for my code like this to resolve the issue and then unserialize.
$data = preg_replace_callback('!s:\d+:"(.*?)";!s', function($m) { return "s:" . strlen($m[1]) . ':"'.$m[1].'";'; }, $data);
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Oct 20 03:01:23 2020 UTC