Page MenuHomePhabricator
Create Task
Maniphest T391951

Switch `Event::serializeExtra()` to use JSONCodec instead of PHP's `serialize()`
Closed, ResolvedPublic
Actions

Description

The extra Event array contains arbitrary data passed by extensions when calling Event::create(). This data is later serialized by PHP function serialize() which is proven to cause some troubles:

  • PHP cannot unserialize value when class doesn't exist any more (for example alias was removed)
  • PHP cannot unserialize values when class was changed (some values are required/do not exist/etc)
  • it allows code injections
  • most likely methods serialize() and unserialize will be deprecated in PHP9

Instead of using serialize we can use the JSONCodec and JSONCodecable interface to allow Mediawiki to serialize/deserialize objects without using native PHP methods. This approach still allows extensions to keep arbitrary data they need. In case when the objects stored in the extra are not serializable (for example see T391948) extension developers can update their objects to allow serialization.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use JsonCodec to serialize Extra arraymediawiki/extensions/Echomaster+43 -54
Pass json serialized extra when initializing fake notificationmediawiki/extensions/Echomaster+13 -3
Tests should use json to serialize event extramediawiki/extensions/Echomaster+25 -11
Customize query in gerrit

Related Objects
Search...

Event Timeline

pmiazga created this task.Apr 15 2025, 12:05 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptApr 15 2025, 12:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DMburugu moved this task from Inbox to Triaged on the Growth-Team board.Apr 16 2025, 2:42 PM
gerritbot added a comment.May 6 2025, 5:10 PM

Change #1142641 had a related patch set uploaded (by Pmiazga; author: Pmiazga):

[mediawiki/extensions/Echo@master] Use JsonCodec to serialize Extra array

https://gerrit.wikimedia.org/r/1142641

gerritbot added a project: Patch-For-Review.May 6 2025, 5:10 PM
gerritbot added a comment.May 7 2025, 1:04 PM

Change #1143080 had a related patch set uploaded (by Pmiazga; author: Pmiazga):

[mediawiki/extensions/Echo@master] Pass json serialized extra when initializing fake notification

https://gerrit.wikimedia.org/r/1143080

gerritbot added a comment.May 7 2025, 1:13 PM

Change #1143083 had a related patch set uploaded (by Pmiazga; author: Pmiazga):

[mediawiki/extensions/Echo@master] Tests should use json to serialize event extra

https://gerrit.wikimedia.org/r/1143083

gerritbot added a comment.May 8 2025, 2:09 PM

Change #1143083 abandoned by Pmiazga:

[mediawiki/extensions/Echo@master] Tests should use json to serialize event extra

Reason:

It looks like this has to be part of Id342d4289228485deb007324d63eccbbb0031533 and I cannot split those into two smaller PRs

https://gerrit.wikimedia.org/r/1143083

gerritbot added a comment.May 13 2025, 3:21 AM

Change #1143080 merged by jenkins-bot:

[mediawiki/extensions/Echo@master] Pass json serialized extra when initializing fake notification

https://gerrit.wikimedia.org/r/1143080

gerritbot added a comment.May 13 2025, 3:27 AM

Change #1142641 merged by jenkins-bot:

[mediawiki/extensions/Echo@master] Use JsonCodec to serialize Extra array

https://gerrit.wikimedia.org/r/1142641

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 3:30 AM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 13 2025, 4:00 AM
matmarex closed this task as Resolved.May 13 2025, 6:39 PM
matmarex assigned this task to pmiazga.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits