Check meta-data deserialization capabilities in PHP 8
ohader opened this issue · 3 comments
Also, change the signature from
getMetadata()
togetMetadata(array $unserialize_options = []).
Start throwing earlier if setMetadata() is called and serialization threw.
Scope for this package, craft a bunch of exploits for PHP 8 and see whether it works.
In case it does, this package probably could "hand over" Phar handling to native PHP 8 then...
Other option is using class aliases for different versions of PHP(
Given that this library is not responsible for registering itself as a stream wrapper I think it's up to the calling code to decide what to do for PHP 8 - i.e. to not register the wrapper. If we want projects to be able to be both PHP 7 and PHP 8 compatible with the same code base then we need to allow this to be in a composer.json for a project that supports both of them.
#65 does to quickish thing of allowing install on PHP 8.0. The other option would be to release a new release which has the same API but does nothing other than passthrough to the PHP streamwrapper. But I think it's better for projects like Drupal to only register the wrapper when running on PHP 7.
Referenced commit adds basic check against meta-data deserialization in PHP 8.x. I agree that this library should not add more magic on checking PHP versions - enabling or disabling Phar stream wrapper has do be done individually by corresponding projects and integrations.