php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79759 Cannot unserialize payloads from PHP 7.4 on 7.3 if __serialize() is used
Submitted: 2020-06-29 20:02 UTC Modified: 2020-06-29 20:27 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: upyx dot 00 at gmail dot com Assigned:
Status: Open Package: *General Issues
PHP Version: 7.4.7 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: upyx dot 00 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-06-29 20:02 UTC] upyx dot 00 at gmail dot com
Description:
------------
Hello!

In PHP 7.4 serialization mechanism has been changed in a backward-incompatible way. So it is (sometimes) not possible to serialize data in PHP 7.4 and deserialize them in PHP 7.3. The serialization is widely used to storing data in sessions, transfer data through message brokers, etc.

Our site works on many servers, and the business has got to work 24/7. So we cannot upgrade all nodes at once. When we upgrade some node to PHP 7.4, it becomes to produce serialized data to a network that unsupported by other nodes. So we cannot update the nodes one by one. We've stuck here.

I've asked the community how they upgraded, and a lot of them answered some like "through pain and disgrace" because they didn't expect the problem and had to solve it when they ran into it. After some investigation, we realize that the problem, not PHP itself but in the many open source libraries which declare support of PHP prior to 7.4 but use new "__serialize()/__unserialize()"  methods.

However, there is a problem, and we need a way to solve it. It is hardly possible to downgrade libraries because of the complicated dependency graph between them. It is barely possible to convince libraries' authors to make necessary changes because of the number of them. I propose two variants:
a) backport "new" deserialization (but not serialization) to the next PHP 7.3 minor version;
b) add an option to force "legacy" serialization to the next PHP 7.4 minor release.

The first variant is the easiest to use. The second variant is the easiest to implement.

By the way, we solved *our* problem with migration. It took a while, so I want to help others.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-29 20:27 UTC] nikic@php.net
-Summary: Impossible to use PHP 7.3 and 7.4 together and smoothly migrate between them +Summary: Cannot unserialize payloads from PHP 7.4 on 7.3 if __serialize() is used
 [2020-07-26 14:36 UTC] fortemppp at gmail dot com
unserialize is not working properly in 7.3 and 7.4 but the same code works in 7.2 or earlier versions. I found a solution for my code like this to resolve the issue and then unserialize.
$data = preg_replace_callback('!s:\d+:"(.*?)";!s', function($m) { return "s:" . strlen($m[1]) . ':"'.$m[1].'";'; }, $data);
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Oct 28 20:01:24 2020 UTC