Background information
This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue
- security.drupal.org private issue: https://security.drupal.org/node/182951
(included for reference. Please do not report access denied as an error.)
Problem/Motivation
The unserialize() function should never be used without specifying allowed classes.
Proposed resolution
Remaining tasks
User interface changes
None
Introduced terminology
None
API changes
None
Data model changes
None
Release notes snippet
N/A