Hi! > We should migrate such cases to serialize_deny though. I think it's pretty > weird to explicitly implement __wakeup (signalling that yes, you can be > unserialized), and then use it to throw (sorry, I lied).
Throwing in __wakeup does not signal that it can be serialized. What it says that if you try to unserialize it (note that the code doing unserialize is not the same that does serialize and has no control over what the argument string says - it may demand to unserialize anything) it won't work. That _implies_ you shouldn't also serialize it (because what's the point) but the important part is not to produce broken objects from unserialization loop. Also, for CURLFile for example there are additional things that happen on __wakeup besides throwing, probably for security reasons. I am not sure whether they are necessary anymore as we pretty much tell people "don't unserialize external data" but they are there for now. Just moving to _deny handler would probably not keep them. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
