Skip to content

unserialize() does not throw on non-array allowed_classes in PHP 8.4.0 #19082

@ImperialCrise

Description

@ImperialCrise

Description

Description:
According to the PHP manual, as of PHP 8.4.0, passing a non-array value for the allowed_classes option in unserialize() should trigger a TypeError or ValueError. However, providing ['allowed_classes' => true] still silently reconstructs the object without any exception.


Steps to Reproduce:

  1. Create a file named test.php with the following contents:

    <?php
    declare(strict_types=1);
    
    class Person {
        public string $name;
        public int    $age;
    
        public function __construct(string $name, int $age) {
            $this->name = $name;
            $this->age  = $age;
        }
    }
    
    $serialized = serialize(new Person('Alice', 30));
    $value      = $serialized;
    
    // Pass boolean instead of an array:
    $result = unserialize($value, ['allowed_classes' => true]);
    
    var_dump($result);
  2. Run it from the command line:

    php test.php

Actual Result:

object(Person)#2 (2) {
  ["name"]=> string(5) "Alice"
  ["age"]=> int(30)
}

Expected Result:
A TypeError or ValueError should be thrown, for example:

PHP Fatal error:  Uncaught TypeError: unserialize(): "allowed_classes" option must be an array of class names in ...

Reference:
PHP manual on unserialize() options (8.4.0):
https://www.php.net/manual/en/function.unserialize.php

PHP Version

PHP 8.4.7 (cli) (built: May  9 2025 06:54:31) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.4.7, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.7, Copyright (c), by Zend Technologies

Operating System

Ubuntu 24.04

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions