Re: [PHP-DEV] [VOTE] Don't automatically unserialize Phar metadataoutside getMetadata()

This is only part of a thread. view whole thread
July 22, 2020 16:54 (tyson andre)
Hi internals,

> As a minor suggestion: > > > Additionally, add an $allowed_classes parameter to both getMetadata() implementations, defaulting to the current behavior of allowing any classes (true). This will be passed to the call to unserialize() performed internally. > > Rather than adding an $allowed_classes parameter, I'd add a general $unserialize_options parameter that just gets passed through to unserialize. E.g.. we also have a "max_depth" option, which also seems potentially useful. This will ensure that any new limitations we implement for unserialize() will also be available in this context.
That sounds like a better idea than what I originally had - I'd forgotten about the max_depth option getting added in php 8.0. Thanks, - Tyson