php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49800 SimpleXML allow serialize() calls without warning
Submitted: 2009-10-07 09:09 UTC Modified: 2009-10-07 12:46 UTC
From: wmeler at wp-sa dot pl Assigned:
Status: Closed Package: SimpleXML related
PHP Version: 5.3.0 OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wmeler at wp-sa dot pl
New email:
PHP Version: OS:

 

 [2009-10-07 09:09 UTC] wmeler at wp-sa dot pl
Description:
------------
simplexml allows serialization which can (and should) be easily forbidden with following patch

--- php-5.3.0/ext/simplexml/simplexml.c 2009-06-11 11:41:15.000000000 +0200
+++ arisphp5/php/ext/simplexml/simplexml.c      2009-10-06 18:39:54.000652000 +0200
@@ -2526,6 +2526,8 @@
        sxe_class_entry = zend_register_internal_class(&sxe TSRMLS_CC);
        sxe_class_entry->get_iterator = php_sxe_get_iterator;
        sxe_class_entry->iterator_funcs.funcs = &php_sxe_iterator_funcs;
+       sxe_class_entry->serialize = zend_class_serialize_deny;
+       sxe_class_entry->unserialize = zend_class_unserialize_deny;
        zend_class_implements(sxe_class_entry TSRMLS_CC, 1, zend_ce_traversable);
        sxe_object_handlers.get_method = zend_get_std_object_handlers()->get_method;
        sxe_object_handlers.get_constructor = zend_get_std_object_handlers()->get_constructor;


Reproduce code:
---------------
<?
echo serialize(simplexml_load_string("<xml/>"));

Expected result:
----------------
Exception: Serialization of 'SimpleXMLElement' is not allowed in ...

Actual result:
--------------
O:16:"SimpleXMLElement":0:{}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-07 12:46 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=289279
Log: Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning).

# original patch by wmeler at wp-sa dot pl
 [2009-10-07 12:46 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-04-19 17:42 UTC] admin at fazigame dot com
Well I have problem because I have serialize(debug_backtrace()) and in backtrace I have simplexml and I got error "Serialization of 'SimpleXMLElement' is not allowed"

I can do for each all backtrace and remove this but shoudl be able to seriazlie backtrace...
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC