PHP :: Bug #55303 :: zend_class_unserialize

Bug #55303	zend_class_unserialize_deny does not work
Submitted:	2011-07-27 19:00 UTC	Modified:	2016-07-26 22:57 UTC
From:	gopalv@php.net	Assigned:	nikic (profile)
Status:	Closed	Package:	Class/Object related
PHP Version:	trunk-SVN-2011-07-27 (SVN)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gopalv@php.net
New email:
PHP Version:		OS:

New Comment:

[2011-07-27 19:00 UTC] gopalv@php.net

Description:
------------
Disabling unserialize() for a class does not work when object_common1 is hit

In pecl/hidef trunk right now FrozenArray is marked with zend_class_unserialize_deny 

+    ce.serialize = zend_class_serialize_deny;
+    ce.unserialize = zend_class_unserialize_deny;

http://svn.php.net/viewvc/pecl/hidef/trunk/frozenarray.c?r1=311588&r2=313761

But the following code still fails to throw an exception (with hidef installed)

I traced the code to 

#0  frozen_array_new (ce=0xe34790) at /home/gopalv/apc_debug/hidef54/frozenarray.c:185
#1  0x00000000006a035b in _object_and_properties_init (arg=0x7ffff7fc8a38, class_type=0xe34790, properties=0x0) at /home/gopalv/apc_debug/PHP_5_4/Zend/zend_API.c:1122
#2  0x0000000000621b87 in object_common1 (rval=<value optimized out>, p=<value optimized out>, max=<value optimized out>, var_hash=<value optimized out>, ce=0xe34790) at ext/standard/var_unserializer.re:371
#3  0x0000000000622b9e in php_var_unserialize (rval=0x7fffffffb828, p=0x7fffffffb838, max=0x7ffff7eb8203 "", var_hash=0x7fffffffb830) at ext/standard/var_unserializer.re:717
#4  0x000000000060dd03 in zif_unserialize (ht=<value optimized out>, return_value=0x7ffff7fc8a38, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /home/gopalv/apc_debug/PHP_5_4/ext/standard/var.c:942


Test script:
---------------
<?php

$s='O:11:"FrozenArray":3:{i:1;s:3:"xyz";i:2;s:3:"abc";i:0;s:5:"hello";}'; 

$a = unserialize($s);

print_r($a);


Expected result:
----------------
Fatal error: Uncaught exception 'Exception' with message 'Unserialization of 'FrozenArray' is not allowed' 


Actual result:
--------------
FrozenArray Object
(
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-07-27 23:58 UTC] cataphract@php.net

-Status: Open +Status: Verified

[2011-07-27 23:58 UTC] cataphract@php.net

An example with a built-in function:

<?php
$c = unserialize('O:7:"Closure":0:{}');
var_dump($c);^D
object(Closure)#1 (0) {
}

ce.unserialize is not called if the serialized data doesn't indicate it's a "custom object".

[2016-07-26 22:57 UTC] nikic@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic

[2016-07-26 22:57 UTC] nikic@php.net

This has been fixed in 5.5.13: https://3v4l.org/LEhlX

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 22 10:00:02 2025 UTC