1--TEST-- 2Test unserialize() with allowed_classes and subclasses 3--FILE-- 4<?php 5 6class C {} 7class D extends C {} 8 9$c = serialize(new C); 10$d = serialize(new D); 11 12var_dump(unserialize($c, ["allowed_classes" => ["C"]])); 13var_dump(unserialize($c, ["allowed_classes" => ["D"]])); 14var_dump(unserialize($d, ["allowed_classes" => ["C"]])); 15var_dump(unserialize($d, ["allowed_classes" => ["D"]])); 16 17--EXPECTF-- 18object(C)#%d (0) { 19} 20object(__PHP_Incomplete_Class)#%d (1) { 21 ["__PHP_Incomplete_Class_Name"]=> 22 string(1) "C" 23} 24object(__PHP_Incomplete_Class)#%d (1) { 25 ["__PHP_Incomplete_Class_Name"]=> 26 string(1) "D" 27} 28object(D)#%d (0) { 29} 30