Block classes in unserialize field for IDE cheer

[civicrm-core.git] / CRM / Core / DAO.php

diff --git a/CRM/Core/DAO.php b/CRM/Core/DAO.php
index a54d1a1ca49f23c769c57a2377604fafc7ae891c..82c4ebc9f264d217d02b4c10b4876a917611ec0a 100644 (file)
--- a/CRM/Core/DAO.php
+++ b/CRM/Core/DAO.php
@@ -2877,8 +2877,9 @@ SELECT contact_id
    *
    * @param string|null $value
    * @param $serializationType
+   *
    * @return array|null
-   * @throws \Exception
+   * @throws CRM_Core_Exception
    */
   public static function unSerializeField($value, $serializationType) {
     if ($value === NULL) {
@@ -2898,13 +2899,13 @@ SELECT contact_id
         return strlen($value) ? json_decode($value, TRUE) : [];
 
       case self::SERIALIZE_PHP:
-        return strlen($value) ? unserialize($value) : [];
+        return strlen($value) ? unserialize($value, ['allowed_classes' => FALSE]) : [];
 
       case self::SERIALIZE_COMMA:
         return explode(',', trim(str_replace(', ', '', $value)));
 
       default:
-        throw new Exception('Unknown serialization method for field.');
+        throw new CRM_Core_Exception('Unknown serialization method for field.');
     }
   }