Issue #3368121 by arti_parmar, gbyte, WalkingDexter: unserialize() is insecure unless allowed classes are limited