php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72178 unserialize regression in 5.6.21 and 7.0.6
Submitted: 2016-05-09 13:59 UTC Modified: 2016-05-10 16:28 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: bc at benjamin-cremer dot de Assigned: laruence (profile)
Status: Not a bug Package: *General Issues
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bc at benjamin-cremer dot de
New email:
PHP Version: OS:

 

 [2016-05-09 13:59 UTC] bc at benjamin-cremer dot de 
Description:
------------
When using `unserialize()` on a serialized string missing the trailing semicolon a notice will be triggered and `false` will be returned. 

This is a backwards compatibility break introduced in 5.6.21 and 7.0.6.

Test script:
---------------
var_dump(unserialize('s:4:"test"'));

Expected result:
----------------
string(4) "test"

Actual result:
--------------
PHP Notice:  unserialize(): Error at offset 10 of 10 bytes in php shell code on line 1
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-09 14:29 UTC] bc at benjamin-cremer dot de 
See: https://3v4l.org/qTJ8g
 [2016-05-09 14:32 UTC] bc at benjamin-cremer dot de 
Relates to: https://bugs.php.net/bug.php?id=71840
 [2016-05-10 01:23 UTC] yohgaki@php.net
-Assigned To: +Assigned To: laruence
 [2016-05-10 01:23 UTC] yohgaki@php.net 
https://3v4l.org/qTJ8g

Offending patch is 
http://git.php.net/?p=php-src.git;a=patch;h=6f241f5fad3a26810c96d5b634bfbceaeac10176
for 
https://bugs.php.net/bug.php?id=71840

Laruence, could you take a look?
 [2016-05-10 05:25 UTC] laruence@php.net 
the problem here is, how such a serialized string was generated?

every bug fix has side affect.
 [2016-05-10 05:45 UTC] bc at benjamin-cremer dot de 
In our case the faulty serialized strings were generated by hand and were used as fixtures, see: https://github.com/shopware/shopware/blob/5.1/_sql/migrations/414-add-product-box-layout.php#L23

We fixed the faulty fixtures in the meantime but this bug affected quite a few customers.
 [2016-05-10 07:27 UTC] sjon at hortensius dot net 
I agree with laruence, this is not a bug. The offending code should perform $value = serialize("basic"); dynamically instead of hardcoding its output.
 [2016-05-10 16:28 UTC] ab@php.net
-Status: Assigned +Status: Not a bug
 [2016-05-10 16:28 UTC] ab@php.net 
Hi, thanks for the report. It is a certain BC breach, yes. However the string reported is not something that serialize() would produce. The related crash bugfix clearly outweighs the fact, that some invalid data can't be parsed anymore. Thus, not a bug.

Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 22 02:00:01 2025 UTC