PHP :: Bug #47244 :: serialize() of a string with a line break (\r) broken.

Bug #47244	serialize() of a string with a line break (\r) broken.
Submitted:	2009-01-29 20:32 UTC	Modified:	2009-01-29 23:59 UTC
From:	nir at winpdb dot org	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	5.2.8	OS:	Ubuntu Intrepid
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	nir at winpdb dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2009-01-29 20:32 UTC] nir at winpdb dot org

Description:
------------
Isn't this a bug?

php > print serialize("hi\rho");
ho";"hi
php > print unserialize(serialize("hi\rho"));
ho

I stumbled on this while working on a Drupal system. Can this possibly have security consequences as well? if a \r on a web form breaks the internal data structures of a system?

Am I missing anything?

PS: I am actually using PHP 5.2.6 on Ubuntu Intrepid.

Cheers,
Nir

Reproduce code:
---------------
print serialize("hi\rho");

Expected result:
----------------
s:5:"hi
ho";

Actual result:
--------------
ho";"hi

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-29 23:59 UTC] iliaa@php.net

It works fine in CVS, its possible that the \r char when output is 
causing formatting error that hides other chars.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Aug 17 15:00:03 2025 UTC