On 03/11/2014 22:10, Stas Malyshev wrote:
I'd like to put to vote my proposal about the filtered unserialize():
Hi,
After discussing this RFC with a few other people, we seem to agree that
allowing some level of security-related filtering when unserializing is
a nice idea -- so, we would be +1 on the principle.
Some of us think raising a notice -- or, better, throwing an exception
-- in case of a not-allowed class might be helpful, especially when it
comes to detecting problems and unsafe input data. Still, we understand
__PHP_Incomplete_Class must have been chosen to remain close to the way
unserialize() now behaves.
--
Pascal MARTIN, AFUP - French UG
http://php-internals.afup.org/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php