From ecd11b968713025bba6fc145a0765f85f48a8a00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Sun, 4 Aug 2024 18:23:19 +0200
Subject: [PATCH] unserialize: Deprecate the 'S' tag (#12309)

RFC: https://wiki.php.net/rfc/deprecations_php_8_4
---
 NEWS                                              |  3 +++
 UPGRADING                                         |  2 ++
 .../tests/serialize/unserialize_uppercase_s.phpt  | 15 +++++++++++++++
 ext/standard/var_unserializer.re                  |  3 +++
 4 files changed, 23 insertions(+)
 create mode 100644 ext/standard/tests/serialize/unserialize_uppercase_s.phpt

diff --git a/NEWS b/NEWS
index 343a59f4bf2..7706b798232 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,9 @@ PHP                                                                        NEWS
   . array out of bounds, stack overflow handled for segfault handler on windows.
     (David Carlier)
 
+- Standard:
+  . Unserializing the uppercase 'S' tag is now deprecated. (timwolla)
+
 01 Aug 2024, PHP 8.4.0alpha4
 
 - GMP:
diff --git a/UPGRADING b/UPGRADING
index a14711ed4ff..e7a1fa340c1 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -446,6 +446,8 @@ PHP 8.4 UPGRADE NOTES
   . Calling stream_context_set_option() with 2 arguments is deprecated.
     Use stream_context_set_options() instead.
   . Raising zero to the power of negative number is deprecated.
+  . Unserializing strings using the uppercase 'S' tag is deprecated.
+    RFC: https://wiki.php.net/rfc/deprecations_php_8_4
 
 ========================================
 5. Changed Functions
diff --git a/ext/standard/tests/serialize/unserialize_uppercase_s.phpt b/ext/standard/tests/serialize/unserialize_uppercase_s.phpt
new file mode 100644
index 00000000000..044dccdef63
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_uppercase_s.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Test unserialize() with the 'S' format emits a deprecation.
+--FILE--
+<?php
+
+var_dump(unserialize('S:1:"e";'));
+var_dump(unserialize('S:1:"\65";'));
+
+?>
+--EXPECTF--
+Deprecated: unserialize(): Unserializing the 'S' format is deprecated in %s on line %d
+string(1) "e"
+
+Deprecated: unserialize(): Unserializing the 'S' format is deprecated in %s on line %d
+string(1) "e"
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 69dd3f84d3a..78d102eefda 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -1089,6 +1089,9 @@ use_double:
 	*p = YYCURSOR;
 
 	ZVAL_STR(rval, str);
+
+	php_error_docref(NULL, E_DEPRECATED, "Unserializing the 'S' format is deprecated");
+
 	return 1;
 }