Hi! As many probably know, unserialize() has a security issue following from the fact that you can create objects with data from unserialize(), and these object may have behavior that is invoked automatically - namely __destruct - that can result in unintended results. See e.g. http://heine.familiedeelstra.com/security/unserialize among others for more detailed description.
So I propose a modification to unserialize(): https://wiki.php.net/rfc/secure_unserialize that would make one of the common cases - serializing data to be stored on user side or user-accessible side - more secure by avoiding instantiating all object (or all objects not belonging to a whitelist) and keeping them as incomplete objects instead. Comments and suggestions welcome, -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
