Feature: Cache Driver - Serialize/Unserialize Objects

[tada5hi]

Direction

Describe the bug
Cant serialize/unserialize Objects. Receive " __PHP_Incomplete_Class_Name"

$class = new Class() {
public function test() {
var_dump(123);
}
};

cache()->save('test',$class);
$cache = cache()->get('test');

$cache->test(); // this wont work

CodeIgniter 4 version
codeigniter4/framework: "dev-master"

Affected module(s)
Which package or class is the bug in, if known.

Expected behavior, and steps to reproduce if appropriate

Context

• OS: mac os sierra
• Web server nginx 1.2.1
• PHP version 7.3.7

[tada5hi]

maybe something like this library https://github.com/nilportugues/php-serializer provided by Nil Portugués Calderó would solve that problem.

[tada5hi]

The current problem in the cache library, is the missing option parameter for the unserialize method inside the getItemmethod for all cache handlers. In case of the Filehander, its line 320, where
$data = unserialize(file_get_contents($this->path . $key));
should be
$data = unserialize(file_get_contents($this->path . $key),['allowed_classes' => true]);

[tada5hi]

@lonnieezell @MGatner what do you think?

[MGatner]

Object serialization is not a guarantee, the object has to implement a serializable and I don't know that it is on the Cache library to check on that. I think the error you noted "__PHP_Incomplete_Class_Name" is actually an indication of the attempt to serialize something that can't be serialized. I'll leave policy decisions to the admins but I think it's probably up to the developer to ensure they are caching serializables.

[lonnieezell]

It looks like it should be able to handle that (though not with an anonymous class like your example implies, since PHP will balk at that). See: https://repl.it/@lonnieezell/FoolishSlateblueInvocation

In general, I agree that it's up to the dev to ensure that whatever they pass in can be serialized and unserialized successfully. However, this example looks valid, so we need to check what's going on for sure.

@tada5hi what cache driver did you discover this on?

[tada5hi]

@lonnieezell, at the Filehandler. But the Problem causes on all drivers, because they all use the php internal serialize and unserialize functions.
The problem is that php added a security aspect to the unserialize function like i mentioned before, so you have to specify the "allowed_classes" which can either be true or an array of allowed classes, which should be recreated as stable object.
For now i think we should add an configuration option in app/Config/Cache.php where a user can specify the allowed classes.

To prevent the unserialize method to properly create objects which are maybe malformed by a third party tool or sth. else, we should use encryption.
There is also an open pull request, which addresses this. But for this we ne we need a symmetric encoding and no asymetric encoding algorithmus.
But this should be feature request, i think we are fine with the allowed_classes in the config file for now.

[jim-parry]

Rhis should be discussed/resolved on the forum before showing up here.

[MGatner]

so you have to specify the "allowed_classes"

This is optional, and while it does add a layer of security we should be able to trust our input values. If some source has hijacked the filesystem (or whatever source of cache info) then nothing the framework would do could be of greater concern. From PHP.net:

Omitting this option is the same as defining it as TRUE: PHP will attempt to instantiate objects of any class.

In other words, "as is" any class is acceptable which is I think where we want to be.