github.com/trim21/go-phpserialize@v0.0.22-0.20240301204449-2fca0319b3f0/readme.md (about)

     1  # go-phpserialize
     2  
     3  ![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/trim21/go-phpserialize?style=flat-square)
     4  [![Go Reference](https://pkg.go.dev/badge/github.com/trim21/go-phpserialize#section-readme.svg)](https://pkg.go.dev/github.com/trim21/go-phpserialize#section-readme)
     5  
     6  PHP `serialize()` and `unserialize()` for Go.
     7  
     8  Support All go type including `map`, `slice`, `struct`, `array`, and simple type like `int`, `uint` ...etc.
     9  
    10  Encoding some type from standard library like `time.Time`, `net.IP` are not supported.
    11  If you have any thought about how to support these types, please create an issue.
    12  
    13  ## supported and tested go version
    14  
    15  - 1.18
    16  - 1.19
    17  - 1.20
    18  - 1.21
    19  - 1.22
    20  
    21  You may see compile error about `golang_version_higher_than_*_not_supported_yet is undefined`,
    22  please try to upgrade version of this package.
    23  
    24  If you are using the latest version of this package, this is expected.
    25  
    26  Due to the usage of unsafe (unsafe doesn't follow Go 1 promise of compatibility), 
    27  new version of golang may break this package,
    28  so it use go build flags to make sure it only compile on tested go versions.
    29  
    30  ## Use case:
    31  
    32  You serialize all data into php array only. 
    33  
    34  Decoding from php serialized array or class are both supported.
    35  
    36  ## Install
    37  
    38  ```console
    39  go get github.com/trim21/go-phpserialize
    40  ```
    41  
    42  ### Advantage:
    43  
    44  Low memory allocation and fast, see [benchmark](./docs/benchmark.md)
    45  
    46  ### Disadvantage:
    47  
    48  heavy usage of `unsafe`.
    49  
    50  ## Usage
    51  
    52  ## Unmarshal
    53  
    54  See [examples](./example_test.go)
    55  `any` type will be decoded to `map[any]any` or `map[string]any`, depends on raw input is `array` or `class`,
    56  
    57  map `any` key maybe `int64` or `string`.
    58  
    59  ## Security
    60  
    61  TL;DR: Don't unmarshal content you can't trust.
    62  
    63  Attackers may consume large memory with very few bytes.
    64  
    65  php serialized array has a length prefix `a:1:{i:0;s:3:"one";}`, when decoding php serialized array into go `slice` or
    66  go `map`,
    67  `go-phpserialize` may call golang's `make()` to create a map or slice with given length.
    68  
    69  So a malicious input like `a:100000000:{}` may become `make([]T, 100000000)` and consume high memory.
    70  
    71  If you have to decode some un-trusted bytes, make sure only decode them into fixed-length golang array or struct,
    72  never decode them to `interface`, `slice` or `map`.
    73  
    74  ## License
    75  
    76  Heavily inspired by https://github.com/goccy/go-json
    77  
    78  MIT License