On Tue, Aug 5, 2025, at 4:14 AM, Casper Langemeijer wrote:
> I'm writing a this email to propose adding allowed_classes_callback 
> option to unserialize(). 
>
> The class name as parsed from the serialized string is passed as a 
> parameter to the callback, it should return a boolean. true would allow 
> the class, false would block it. This blocks classes the same way 
> 'allowed_classes' would, but by callback instead. The callback will be 
> triggered *after* allowed_classes is evaluated (if present). Blocking 
> will have the same effect as allowed_classes, using 
> __PHP_Incomplete_Class.
>
> This callback would solve a few problems where allowed_classes is not 
> sufficient:
>
> - This would also allow for fixing legacy applications where it is not 
> exactly clear what is being unserialized. In my use-case the callable 
> returns a true value but a E_USER_DEPRECATION is triggered. This way 
> data can be collected about what classes to allow through monitoring 
> these deprecations, providing a non-disrupting way to secure 
> unserialize calls. This is especially helpful in very generic 
> unserialize usages like caches.
>
> - It would allow for an is_subclass_of() check where for example an 
> interface can be added to classes that are safe to get unserialized. 
> Current allowed_classes array only matches the exact class, not it's 
> children. 
>
> Note that these problems are not resolvable by using 
> unserialize_callback_func because that call only happens for unloaded 
> classes, where the PHP Object Injection vulnerability 
> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection 
> affects classes that might already have been loaded.
>
> In de pull request Jakub wrote:
>> Personally I don't see any issue here and it seems quite self contained and 
>> small so I wouldn't mind to get it merged without RFC. It might be worth to 
>> email internals first to double check that there are no objections first.
>
> Out of scope: I understand that __PHP_Incomplete_Class is not very 
> 2025. Adding an option throw_for_unknown_classes has been suggested on 
> this list. I'm happy to implement that, but for now I'd like to keep it 
> at allowed_classes_callback.
>
> Feedback is very much appreciated.
>
> The change and some more details live here: 
> https://github.com/php/php-src/pull/19087

I am not opposed to this, but I would like to see it go through an RFC.

--Larry Garfield

Reply via email to