force no object initialization when unserializing

shieldfy · Mar 27, 2017 · 6c64759 · 6c64759
1 parent 104baa7
commit 6c64759
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Normalizers/NormalizeSerialize.php b/src/Normalizers/NormalizeSerialize.php
@@ -62,7 +62,7 @@ public function run()
         if (version_compare(PHP_VERSION, '7.0.0') >= 0) {
             //options added @ v 7.0 which allow no evaluating for classes
             //object will be instantiated as __PHP_Incomplete_Class
-            $decoded = @unserialize($this->value);
+            $decoded = @unserialize($this->value, false);
         } else {
             $decoded = false; //don't serialize it might be danger
         }