On 03/11/2014 22:10, Stas Malyshev wrote:
I'd like to put to vote my proposal about the filtered unserialize():

Hi,

After discussing this RFC with a few other people, we seem to agree that allowing some level of security-related filtering when unserializing is a nice idea -- so, we would be +1 on the principle.

Some of us think raising a notice -- or, better, throwing an exception -- in case of a not-allowed class might be helpful, especially when it comes to detecting problems and unsafe input data. Still, we understand __PHP_Incomplete_Class must have been chosen to remain close to the way unserialize() now behaves.

--
Pascal MARTIN, AFUP - French UG
http://php-internals.afup.org/


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to