UPGRADING note about bug #67072

Author: weltling

UPGRADING

@@ -235,6 +235,10 @@ PHP 5.6 UPGRADE NOTES
     . pg_send_query()
     . pg_send_query_params()
 
+- unserialize:
+  Manipulated serialization strings for objects implementing Serializable by
+  replacing "C:" with "O:" at the start will now produce an error.
+
 ========================================
 5. New Functions
 ========================================

UPGRADING.INTERNALS

@@ -12,6 +12,8 @@ UPGRADE NOTES - PHP X.Y
   g. Additional str_* APIs
   h. Addition of zend_hash_reindex
   i. Addition of zend_hash_splice
+  j. An additional parameter is sent to Countable::count()
+  k. Unserialization of manipulated object strings
 
 2. Build system changes
   a. Unix build system changes
@@ -189,6 +191,21 @@ UPGRADE NOTES - PHP X.Y
   fail. Extensions which implement Countable internally, need to accept one
   optional long as parameter.
 
+  k. Unserialization of manipulated object strings
+
+  Strings requiring unserialization of objects are now explicitly checked
+  whether the object they contain implements the Serializable interface.
+  This solves the situation where manipulated strings could be passed for
+  objects using Serializable to disallow serialization. An object
+  implementing Serializable will always start with "C:" in the serialized
+  string, all other objects are represented with starting "O:". Objects
+  implementing Serializable to disable serialization using
+  zend_class_unserialize_deny and zend_class_serialize_deny, when
+  instantiated from the serializer with a manipulated "O:" string at the
+  start, will most likely be defectively initialized. This is now
+  fixed at the appropriate place by checking for the presence of the
+  serialize callback in the class entry.
+
 ========================
 2. Build system changes
 ========================