Removal of Eval and amended unit test #5
Conversation
| * | ||
| * @param mixed $value | ||
| * @return string | ||
| * @throws Exception\RuntimeException |
There was a problem hiding this comment.
Add a description about when the exception is thrown.
…os at once. Added description to docblock
|
Following our conversation can you re-review the unit test. For PHP Objects/Classes we are using the Zend\Json\Encoder and Zend\Json\Decoder. |
| public function testSerializeObject() | ||
| { | ||
| $value = new \stdClass(); |
There was a problem hiding this comment.
This test should work without changes. Otherwise this PR introduces a BC Break.
You'll find why JSON Encoder is not the solution. The adapter emulate php native serialize/unserialize without call the native implementation.
JSON Encoded adapter is this https://github.com/zendframework/zend-serializer/blob/master/src/Adapter/Json.php
There was a problem hiding this comment.
If we keep this test and make the changes suggested, from what I see the 'unserialize' will still fail. Mainly due to __set_status: "PHP Fatal error: Call to undefined method stdClass::__set_state()". The testUnserializeObject is skipped because of this.
This was the main reason why I decided to re-work this adapter altogether. What are your thoughts?
There was a problem hiding this comment.
I think the original issue is not resolved. This adapter has as objective serialize and unserialize using the PHP string format and not the JSON format.
There was a problem hiding this comment.
If we change the format, then this test wouldn't work unless we change the expected value.
|
Making changes to reflect upon comments made. |
| @@ -26,111 +25,71 @@ public function setUp() | |||
| $this->adapter = new Serializer\Adapter\PhpCode(); | |||
There was a problem hiding this comment.
Import the final class instead the only the namespace. This is the only class imported.
|
I don't think you'll able to complete the issue with the JSON Encoder proposal. However your refactor work of Could you put the changes on |
|
Hi Maks, This is done here: #6 I think we should at some point discuss/review this adapter in general. |
|
Thx. What is the difference between
|
|
With PhpCode is there a need to unserialize if that is the case? |
|
I'm not familiar enough with php code generation. I can imagine scenarios for transform an string to php objects without write to disk. But this is as dangerous as eval, so its not recomendable. |
|
eval should be avoided, I agree with this 100%. |
|
TBH this adapter does things Zend\Code already do. |
|
The adapter exists for two reasons:
Anyway this adapter has two big warnings in the documentation that it uses |
|
@levelfivehub I totally agree that @Maks3w @levelfivehub @weierophinney @Ocramius I also would be fine by removing this adapter. Even if I see a use-case (explained above) this use-case is very very special and this adapter should be simple enough to write down if you really need it (I never did). Additionally shipping this adapter by default could result in using it for wrong purposes and opens which opens big security issues. So mark it deprecated and remove in 3.0 - Thoughts? Marc |
|
This sort of adapter works really well with small cache maps, for example metadata related to entities, annotation cache, etc. Doctrine has a |
|
@Ocramius you are right that in a scenario of file caches 'var_export' + 'include' works just fine but there the use case is a bit different because of the include statement. I mean it is fast because it will result in a two level cache - shared memory (by opcache) + filesystem. In our case it can't use the opcache because it's using 'eval'. And because it can be used very simply outside of caching scenarios it's very simple to use this adapter for unserializing unsafe content. We could add a PhpFile adapter to the caching component to ship this functionality. |
|
see #33 |
Hi @Maks3w
This is now branched off develop with your changes. With your approval we will need to close the other PR.
Thanks