On Mon, Nov 3, 2014 at 10:10 PM, Stas Malyshev <smalys...@sugarcrm.com> wrote: > I'd like to put to vote my proposal about the filtered unserialize(): > > https://wiki.php.net/rfc/secure_unserialize
Hi, Coming late to the discussion. Was there any discussion to make the new argument a callback instead? Pass it the fully-qualified class name, have it return true (the class should be loaded) or false (the class should not be loaded). Deprecate the `unserialize_callback_func` mechanism at the same time. Damien -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php