Hi Stas, I'm not sure if this new argument to unserialize() is intuitive. May be better to use separate functions - unserialize_filtered() or something similar.
Thanks. Dmitry. On Mon, Oct 27, 2014 at 11:03 AM, Stas Malyshev <smalys...@sugarcrm.com> wrote: > Hi! > > I'd like to have a vote on unserialize() improvement proposal outlined > here: > https://wiki.php.net/rfc/secure_unserialize > > soon-ish, but since discussion on it has been more than a year ago I'd > like to give it some prior notice and some time to re-consider. I still > think it is a good improvement, not fixing all problems but allowing to > fix some at reasonable cost. I've added some outline of arguments > discussed before, but still open for comments. The patch is probably > outdated but I'll fix it if it's accepted, if not I don't want to spend > time on it. I'd like to have a vote sometime next week, but if there's > more discussion it can be postponed. > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
