rfc:secure_unserialize

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:secure_unserialize [2014/11/03 21:06] stasrfc:secure_unserialize [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 3: Line 3:
   * Date: 2013-03-29    * Date: 2013-03-29 
   * Author: Stas Malyshev, stas@php.net   * Author: Stas Malyshev, stas@php.net
-  * Status: Voting+  * Status: Implemented
   * First Published at: http://wiki.php.net/rfc/secure_unserialize   * First Published at: http://wiki.php.net/rfc/secure_unserialize
   * Patch: https://github.com/php/php-src/pull/315   * Patch: https://github.com/php/php-src/pull/315
Line 36: Line 36:
 $data = unserialize($foo, array("MyClass", "MyClass2"));  $data = unserialize($foo, array("MyClass", "MyClass2")); 
 </code> </code>
 +
 +See API Update below.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 56: Line 58:
 Vote started on 2014-11-03 and is open until 2014-11-10 23:59:59 PST.  Vote started on 2014-11-03 and is open until 2014-11-10 23:59:59 PST. 
  
-<doodle title="Approve filtered unserialize() proposal?" auth="stas" voteType="single">+<doodle title="Approve filtered unserialize() proposal?" auth="stas" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
 </doodle> </doodle>
  
 +
 +===== API change =====
 +
 +After some thought and discussion, I have decided to slightly change the API:
 +
 +<code php>
 +// this will unserialize everything as before
 +$data = unserialize($foo); 
 +// this will convert all objects into __PHP_Incomplete_Class object
 +$data = unserialize($foo, ["allowed_classes" => false]); 
 +// this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object
 +$data = unserialize($foo, ["allowed_classes" => ["MyClass", "MyClass2"]); 
 +//accept all classes as in default
 +$data = unserialize($foo, ["allowed_classes" => true]); 
 +</code>
 +
 +This will allow to extend the options array in the future if we ever want to add more parameters. No objections were voiced on the list regarding this API change.
  
 ===== References ===== ===== References =====
rfc/secure_unserialize.1415048801.txt.gz · Last modified: 2017/09/22 13:28 (external edit)