php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76632 Nested serialize() with shared references yields wrong unserialization
Submitted: 2018-07-16 12:43 UTC Modified: 2020-04-20 15:05 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: niklas dot correnz at hcom dot de Assigned: cmb (profile)
Status: Wont fix Package: *General Issues
PHP Version: 7.1.19 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: niklas dot correnz at hcom dot de
New email:
PHP Version: OS:

 

 [2018-07-16 12:43 UTC] niklas dot correnz at hcom dot de 
Description:
------------
When implementing \Serializable a nested serialize() call will cause the unserialized() result to be messed up.

Nested serialize() calls often occur when extending classes and overwriting serialize with additional fields, so this is not unusual. Our test script simulates this by nesting serialize().

The result still break, if the array with the referenced objects is not inside the nested serialize(), but instead any additional property is serialized with a nested call (not in the test script).

Test script:
---------------
$role1 = new \stdClass();
$role1->name = 'role1';
$role2 = new \stdClass();
$role2->name = 'role2';
class group implements \Serializable {
  private $roles;
  public function __construct(array $roles) {
    $this->roles = $roles;
  }
  public function serialize() {
    return serialize([serialize($this->roles)]);
  }
  public function unserialize($serialized) {
    $this->roles = unserialize(unserialize($serialized)[0]);
  }
}
$group1 = new \group([$role1, $role2]);
$group2 = new \group([$role1, $role2]);
var_dump(unserialize(serialize([$group1, $group2])));

Expected result:
----------------
array (size=2)
  0 => 
    object(group)[5]
      private 'roles' => 
        array (size=2)
          0 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)
          1 => 
            object(stdClass)[7]
              public 'name' => string 'role2' (length=5)
  1 => 
    object(group)[8]
      private 'roles' => 
        array (size=2)
          0 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)
          1 => 
            object(stdClass)[7]
              public 'name' => string 'role2' (length=5)

Actual result:
--------------
array (size=2)
  0 => 
    object(group)[5]
      private 'roles' => 
        array (size=2)
          0 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)
          1 => 
            object(stdClass)[7]
              public 'name' => string 'role2' (length=5)
  1 => 
    object(group)[8]
      private 'roles' => 
        array (size=2)
          0 => string 'a:2:{i:0;O:8:"stdClass":1:{s:4:"name";s:5:"role1";}i:1;O:8:"stdClass":1:{s:4:"name";s:5:"role2";}}' (length=98)
          1 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-16 13:39 UTC] cmb@php.net 
See <https://externals.io/message/98834>.
 [2020-04-20 15:05 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2020-04-20 15:05 UTC] cmb@php.net 
The Serializable interface has unresolvable issues, and is
superseeded by the __serialize() and __unserialize() magic
methods[1].

[1] <https://www.php.net/manual/en/language.oop5.magic.php#object.serialize>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 22:00:01 2025 UTC