Major - P3 Disabled __wakeup methods were originally introduced in PHPC-190. This was primarily needed for PHP 5.x. In PHP 7.0+, it's sufficient to disable the serialization object handlers (as is done in PHONGO_CE_DISABLE_SERIALIZATION). In PHP 8.1+, we need only add a flag on the class entry (PHPC-1922).
After removing Manager::__wakeup and its references in other non-serializable classes, we can test that serialization is still prohibited via a test like the following:
--TEST-- MongoDB\Driver\Manager does not support serialization --FILE-- <?php require_once __DIR__ . '/../utils/basic.inc'; echo throws(function() { serialize(create_test_manager()); }, Exception::class), "\n"; echo throws(function() { unserialize('C:22:"MongoDB\Driver\Manager":0:{}'); }, Exception::class), "\n"; echo raises(function() { unserialize('O:22:"MongoDB\Driver\Manager":0:{}'); }, E_WARNING), "\n"; ?> ===DONE=== <?php exit(0); ?> --EXPECTF-- OK: Got Exception Serialization of 'MongoDB\Driver\Manager' is not allowed OK: Got Exception Unserialization of 'MongoDB\Driver\Manager' is not allowed OK: Got E_WARNING Erroneous data format for unserializing 'MongoDB\Driver\Manager' ===DONE===
Note that we'll need to test both C and O formats. O was previously used by __wakeup but is now used by the new __unserialize method in PHP 7.4+ (see: PHPC-1849).
The test above may also need some adjustment for PHP 8.1, as the error for unserializing O notation likely differs from earlier PHP versions.
