PHP 8.4 Deprecated features - unserialize() with allowed_classes => true #928
Description
What type of issue is this?
Incorrect/unexpected/unexplainable behavior
Operating system + version
Linux
PHP version
8.4.5
Connector/Database version (if applicable)
No response
Phpfastcache version
9.2.0 ✅
Describe the issue you're facing
Hello,
In the file phpfastcache/lib/Phpfastcache/Core/Pool/DriverBaseTrait.php, the unserialize() function is currently used with the option ['allowed_classes' => true]:
protected function unserialize(?string $value): mixed
{
return $value ? \unserialize($value, ['allowed_classes' => true]) : null;
}However, starting with PHP 8.4, passing true to allowed_classes is deprecated and will result in a fatal error. According to the [PHP 8.4 changelog](https://www.php.net/manual/en/migration84.deprecated.php), this argument must now be either:
- An array of class names,
false(to disallow all classes), ortruewas previously allowed but is now disallowed entirely.
Now throws TypeErrors and ValueErrors if the allowed_classes element of options is not an array of class names.
Suggested fix:
If the intent is to allow all classes, the recommendation would be to omit the allowed_classes option entirely or update it to the default behavior, depending on the security model of the library.
Best regards,
iCrise
Expected behavior
No response
Code sample (optional)
No response
Suggestion to fix the issue (optional)
No response
References (optional)
No response
Do you have anything more you want to share? (optional)
No response
Have you searched in our Wiki before posting ?
- I have searched over the Wiki