Hi internals, > As a minor suggestion: > > > Additionally, add an $allowed_classes parameter to both getMetadata() > > implementations, defaulting to the current behavior of allowing any classes > > (true). This will be passed to the call to unserialize() performed > > internally. > > Rather than adding an $allowed_classes parameter, I'd add a general > $unserialize_options parameter that just gets passed through to unserialize. > E.g. we also have a "max_depth" option, which also seems potentially useful. > This will ensure that any new limitations we implement for unserialize() will > also be available in this context.
That sounds like a better idea than what I originally had - I'd forgotten about the max_depth option getting added in php 8.0. Thanks, - Tyson -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
