github.com/trim21/go-phpserialize@v0.0.22-0.20240301204449-2fca0319b3f0/readme.md (about) 1 # go-phpserialize 2 3 ![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/trim21/go-phpserialize?style=flat-square) 4 [![Go Reference](https://pkg.go.dev/badge/github.com/trim21/go-phpserialize#section-readme.svg)](https://pkg.go.dev/github.com/trim21/go-phpserialize#section-readme) 5 6 PHP `serialize()` and `unserialize()` for Go. 7 8 Support All go type including `map`, `slice`, `struct`, `array`, and simple type like `int`, `uint` ...etc. 9 10 Encoding some type from standard library like `time.Time`, `net.IP` are not supported. 11 If you have any thought about how to support these types, please create an issue. 12 13 ## supported and tested go version 14 15 - 1.18 16 - 1.19 17 - 1.20 18 - 1.21 19 - 1.22 20 21 You may see compile error about `golang_version_higher_than_*_not_supported_yet is undefined`, 22 please try to upgrade version of this package. 23 24 If you are using the latest version of this package, this is expected. 25 26 Due to the usage of unsafe (unsafe doesn't follow Go 1 promise of compatibility), 27 new version of golang may break this package, 28 so it use go build flags to make sure it only compile on tested go versions. 29 30 ## Use case: 31 32 You serialize all data into php array only. 33 34 Decoding from php serialized array or class are both supported. 35 36 ## Install 37 38 ```console 39 go get github.com/trim21/go-phpserialize 40 ``` 41 42 ### Advantage: 43 44 Low memory allocation and fast, see [benchmark](./docs/benchmark.md) 45 46 ### Disadvantage: 47 48 heavy usage of `unsafe`. 49 50 ## Usage 51 52 ## Unmarshal 53 54 See [examples](./example_test.go) 55 `any` type will be decoded to `map[any]any` or `map[string]any`, depends on raw input is `array` or `class`, 56 57 map `any` key maybe `int64` or `string`. 58 59 ## Security 60 61 TL;DR: Don't unmarshal content you can't trust. 62 63 Attackers may consume large memory with very few bytes. 64 65 php serialized array has a length prefix `a:1:{i:0;s:3:"one";}`, when decoding php serialized array into go `slice` or 66 go `map`, 67 `go-phpserialize` may call golang's `make()` to create a map or slice with given length. 68 69 So a malicious input like `a:100000000:{}` may become `make([]T, 100000000)` and consume high memory. 70 71 If you have to decode some un-trusted bytes, make sure only decode them into fixed-length golang array or struct, 72 never decode them to `interface`, `slice` or `map`. 73 74 ## License 75 76 Heavily inspired by https://github.com/goccy/go-json 77 78 MIT License