Hi Nikita, https://wiki.php.net/rfc/custom_object_serialization >
In the RFC, you mention that "Executing arbitrary code in the middle of unserialization is dangerous and has led to numerous unserialize() vulnerabilities in the past. For this reason __wakeup() calls are now delayed until the end of unserialization." How about destructors? Some vulnerabilities come from destructors doing things with unserialized state. Would it be possible/a good idea to *not* call any destructors unless the "wakeup" stage has been successful? Any exceptions thrown during __wakeup/__unserialize would mean the unserialized data structure should be destroyed without calling any destructors? WDYT? Nicolas
