Possible exploit using AbstractArray#unserialize()

[icanhazstring]

Using unserialize without second parameter might can be targeted to use remote code execution.

More details about this here: https://github.com/kalessil/phpinspectionsea/blob/master/docs/security.md#exploiting-unserialize

Since we use the Serializable interface it won't be possible to provide a second parameter.
So I would suggest two things:

1. For AbstractArray we will prevent unserialize to init any class. By setting allowed_classesto false. (Mentioned as a solution in the docs linked above).

2. In all child classes of AbstractArray you can override the unserialize method and set allowed_classes to the type of the collection. So unserialize will only initialize the known type of the collection.

For Example:

abstract class AbstractArray implements ArrayInterface
{
...
    public function unserialize($serialized)
    {
        return unserialize($serialized, ['allowed_classes' => false]);
    }
...
}

abstract class AbstractCollection extends AbstractArray
{
...
    public function unserialize($serialized)
    {
        return unserialize($serialized, ['allowed_classes' => [$this->getType()]]);
    }
...
}

[ramsey]

It's interesting to note that allowed_classes must be an array of concrete classes. This does not recognize inheritance through interfaces and abstract classes.