Hi! > To clarify: I don't think it makes sense to add an additional security > option, if we cannot say that unserialize() is to our knowledge *fully*
That's where we disagree. I think security is a spectrum, and you can make it better. It looks like you think it's binary - either it is *fully* airtight secure, or there's no point even bothering. I think there is a point. > Just looking at your implementation again, it looks like "false" is not > a special value and you actually accept anything, regardless of type. So The RFC is not about specific pull, it's about the design. If there are bugs in the pull, it can be fixed. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
