rfc:secure_unserialize

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
rfc:secure_unserialize [2014/11/03 21:06] stasrfc:secure_unserialize [2014/11/23 06:18] stas
Line 36: Line 36:
 $data = unserialize($foo, array("MyClass", "MyClass2"));  $data = unserialize($foo, array("MyClass", "MyClass2")); 
 </code> </code>
 +
 +See API Update below.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 56: Line 58:
 Vote started on 2014-11-03 and is open until 2014-11-10 23:59:59 PST.  Vote started on 2014-11-03 and is open until 2014-11-10 23:59:59 PST. 
  
-<doodle title="Approve filtered unserialize() proposal?" auth="stas" voteType="single">+<doodle title="Approve filtered unserialize() proposal?" auth="stas" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
 </doodle> </doodle>
  
 +
 +===== API change =====
 +
 +After some thought and discussion, I have decided to slightly change the API:
 +
 +<code php>
 +// this will unserialize everything as before
 +$data = unserialize($foo); 
 +// this will convert all objects into __PHP_Incomplete_Class object
 +$data = unserialize($foo, ["allowed_classes" => false]); 
 +// this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object
 +$data = unserialize($foo, ["allowed_classes" => ["MyClass", "MyClass2"]); 
 +//accept all classes as in default
 +$data = unserialize($foo, ["allowed_classes" => true]); 
 +</code>
 +
 +This will allow to extend the options array in the future if we ever want to add more parameters. No objections were voiced on the list regarding this API change.
  
 ===== References ===== ===== References =====
rfc/secure_unserialize.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools