php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #49649 unserialize() doesn't handle changes in property visibility
Submitted: 2009-09-24 07:08 UTC Modified: 2010-12-20 09:38 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: coolfactor at mac dot com Assigned:
Status: Closed Package: Class/Object related
PHP Version: 5.3.0 OS: OS X 10.5.8
Private report: No CVE-ID: None
 [2009-09-24 07:08 UTC] coolfactor at mac dot com
Description:
------------
Unserializing an object after changing some of its class properties' 
from public to protected results in properties present in both states. 

(As a workaround, migration code can be written using get_object_vars() 
to update the a protected property from the corresponding public version 
within a __wakeup() call.)

Reproduce code:
---------------
(It's difficult to write reproduce code for this, so I hope the following step-by-steps are OK)

1. Object "John" of class "Person" stored in serialized form has property "age" with public visibility.
2. Change visibility of property "age" in class definition to "protected".
3. Unserialize "John". The property "age" will be present in both public and protected states.
4. Attempting to access the "age" property directly correctly returns the value stored in the protected version.
5. Using get_object_vars() returns the value stored in the public version.

Expected result:
----------------
Changes in property visibility should migrate the values gracefully upon 
unserialization. Properties by any given name should only exist once, 
but the current behavior conflicts with that.

Actual result:
--------------
Both versions of a property (public and protected) exist in unserialized 
object.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-24 07:15 UTC] coolfactor at mac dot com
Furthermore:
1. there's no way to unset() the public version.
2. using __sleep() to return the properties to serialize results in the 
public version being serialized again, so there's no way to migrate the 
values permanently without reconstructing the object from scratch.
 [2010-12-20 09:38 UTC] jani@php.net
-Package: Feature/Change Request +Package: Class/Object related
 [2017-07-10 06:27 UTC] krakjoe@php.net
Automatic comment on behalf of mail@pmmaga.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7cb5bdf64a95bd70623d33d6ea122c13b01113bd
Log: Fix #49649 - Handle property visibility changes on unserialization
 [2017-07-10 06:27 UTC] krakjoe@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC