From ccfaf3e4713b1878241f1235a6fcb66ad0582d47 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 7 Dec 2022 21:02:22 +0100
Subject: Add unserialize_noclass

---
 doc/source/config.rst   | 14 ++++++++++++++
 doc/source/features.rst |  2 ++
 2 files changed, 16 insertions(+)

(limited to 'doc/source')

diff --git a/doc/source/config.rst b/doc/source/config.rst
index 9d2d0ed..bce4667 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -202,6 +202,20 @@ It can either be ``enabled`` or ``disabled``.
   sp.sloppy_comparison.enable();
   sp.sloppy_comparison.disable();
 
+unserialize_noclass
+^^^^^^^^^^^^^^^^^^^
+ 
+:ref:`unserialize_noclass <unserialize-feature>`, available only on PHP8+ and
+disabled by default, will disable the deserialization of objects via
+``unserialize``. It's equivalent to setting the ``options`` parameter of
+``unserialize`` to ``false``, on every call. It can either be ``enabled`` or
+``disabled``.
+
+::
+
+  sp.unserialize_noclass.enable();
+  sp.unserialize_noclass.disable();
+
 unserialize_hmac
 ^^^^^^^^^^^^^^^^
  
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 25fd62d..60dbbef 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -166,6 +166,8 @@ CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_, `2016-7124
 <https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773
 <https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.
 
+A less subtle mitigation can be used to simply prevent the deserialization of objects altogether.
+
 
 Examples of related vulnerabilities
 """""""""""""""""""""""""""""""""""
-- 
cgit v1.3