On Mon, Mar 27, 2023, at 2:12 PM, Mel Dafert wrote: > On 27 March 2023 20:20:58 CEST, "Michał Marcin Brzuchalski" > <michal.brzuchal...@gmail.com> wrote: >> Personally, I'd like the unserialize to throw an exception if trailing >>bytes are detected. >>If not by default then with the use of the option passed to unserialize >>function. > > If that's the desired direction, it makes more sense to emit a > deprecation notice > now and throw an exception starting in 9.0. > > Regards, > Mel Dafert
I would also favor throwing an exception. This is a security vector being closed, and that should be closed *hard*. Warnings tend to show up where they're not useful (dev) and get not noticed where they are (prod). Go all the way to an exception here. I'm flexible on if that happens in 8.3 or 9. Maybe warning now, with exception in 9? I don't know if that's better from a BC POV, but it should end up as an exception. --Larry Garfield -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
