DenyListDeserializer
Deserializes a PHP-serialized payload while refusing any class that carries a user-defined __destruct() or an exploitable __wakeup() (one not provided solely by BlockSerializationTrait).
The per-class deny/allow decision is made lazily via ReflectionClass at the first encounter of each class name, then cached in cache:core so that reflection is never repeated for the same class within a cache lifetime.
Use this instead of a raw unserialize() call when the set of expected classes is not known upfront but dangerous gadget classes must still be excluded.
Only to be used by TYPO3 core
Attributes
- #[Autoconfigure]
- $public: true
Table of Contents
Methods
- __construct() : mixed
- deserialize() : mixed
- Deserializes $payload, throwing DeserializerException if any class name found in the payload is a deserialization gadget, or if the payload is syntactically malformed.
Methods
__construct()
public
__construct(PhpFrontend $cache, HashService $hashService, DeserializationService $deserializationService) : mixed
Parameters
- $cache : PhpFrontend
- $hashService : HashService
- $deserializationService : DeserializationService
deserialize()
Deserializes $payload, throwing DeserializerException if any class name found in the payload is a deserialization gadget, or if the payload is syntactically malformed.
public
deserialize(string $payload) : mixed
Parameters
- $payload : string