PHP :: Bug #49800 :: SimpleXML allow serialize() calls without warning

Bug #49800	SimpleXML allow serialize() calls without warning
Submitted:	2009-10-07 09:09 UTC	Modified:	2009-10-07 12:46 UTC
From:	wmeler at wp-sa dot pl	Assigned:
Status:	Closed	Package:	SimpleXML related
PHP Version:	5.3.0	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	wmeler at wp-sa dot pl
New email:
PHP Version:		OS:

New Comment:

[2009-10-07 09:09 UTC] wmeler at wp-sa dot pl

Description:
------------
simplexml allows serialization which can (and should) be easily forbidden with following patch

--- php-5.3.0/ext/simplexml/simplexml.c 2009-06-11 11:41:15.000000000 +0200
+++ arisphp5/php/ext/simplexml/simplexml.c      2009-10-06 18:39:54.000652000 +0200
@@ -2526,6 +2526,8 @@
        sxe_class_entry = zend_register_internal_class(&sxe TSRMLS_CC);
        sxe_class_entry->get_iterator = php_sxe_get_iterator;
        sxe_class_entry->iterator_funcs.funcs = &php_sxe_iterator_funcs;
+       sxe_class_entry->serialize = zend_class_serialize_deny;
+       sxe_class_entry->unserialize = zend_class_unserialize_deny;
        zend_class_implements(sxe_class_entry TSRMLS_CC, 1, zend_ce_traversable);
        sxe_object_handlers.get_method = zend_get_std_object_handlers()->get_method;
        sxe_object_handlers.get_constructor = zend_get_std_object_handlers()->get_constructor;


Reproduce code:
---------------
<?
echo serialize(simplexml_load_string("<xml/>"));

Expected result:
----------------
Exception: Serialization of 'SimpleXMLElement' is not allowed in ...

Actual result:
--------------
O:16:"SimpleXMLElement":0:{}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-10-07 12:46 UTC] svn@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=289279
Log: Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning).

# original patch by wmeler at wp-sa dot pl

[2009-10-07 12:46 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2010-04-19 17:42 UTC] admin at fazigame dot com

Well I have problem because I have serialize(debug_backtrace()) and in backtrace I have simplexml and I got error "Serialization of 'SimpleXMLElement' is not allowed"

I can do for each all backtrace and remove this but shoudl be able to seriazlie backtrace...

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 05:00:02 2025 UTC