nicolas-grekas

RFC for a Secure Unserialization Mechanism in PHP

Scope

PHP serialization/unserialization has several drawbacks [^1].

On the serialization side, the Serializable interface:

• breaks hard and soft references inside serialized data structures;

subfuzion

There are certain files created by particular editors, IDEs, operating systems, etc., that do not belong in a repository. But adding system-specific files to the repo's .gitignore is considered a poor practice. This file should only exclude files and directories that are a part of the package that should not be versioned (such as the node_modules directory) as well as files that are generated (and regenerated) as artifacts of a build process.

All other files should be in your own global gitignore file:

• Create a file called .gitignore in your home directory and add any filepath patterns you want to ignore.
• Tell git where your global gitignore file is.

Note: The specific name and path you choose aren't important as long as you configure git to find it, as shown below. You could substitute .config/git/ignore for .gitignore in your home directory, if you prefer.