PHP :: Bug #65724 :: unserialize doesn't always restore referenced objects

Bug #65724

unserialize doesn't always restore referenced objects

Submitted:

2013-09-20 12:34 UTC

Modified:

2013-10-05 15:53 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

niko dot sams at gmail dot com

Assigned:

Status:

Not a bug

Package:

*General Issues

PHP Version:

5.5.4

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	niko dot sams at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-09-20 12:34 UTC] niko dot sams at gmail dot com

Description:
------------
when doing another unserialize that creates objects in an 
Serializable::unserialize implementation things break, the 'parent' isn't 
unserialized correctly.

ok: PHP 5.3.3-7+squeeze14
ok: PHP 5.3.10-1ubuntu3.6
fail: PHP 5.4.4-14+deb7u2
fail: PHP 5.5.3

See phpt test script:
http://paste.kde.org/p83ce39d0/

Test script:
---------------
class Bar {}
class Foo implements Serializable {
    public $test;
    public function __construct($test) { $this->test = $test; }
    public function serialize()
    {
        return $this->test;
    }
    public function unserialize($serialized)
    {
        //the following line causes problems
        unserialize('O:3:"Bar":1:{s:4:"bar1";O:3:"Bar":0:{}}');
        $this->test = $serialized;
    }
}
$foo1 = new Foo('foo1');
$foo2 = new Foo('foo2');
$foo3 = new Foo('foo3');
$ar = array(
    array(
        'instance' => $foo1,
    ),
    array(
        'instance' => $foo2,
    ),
    array(
        'instance' => $foo3,
        'parent' => $foo2
    )
);
$ar = serialize($ar);
$ar = unserialize($ar);
print_r($ar);

Expected result:
----------------
[parent] => Foo Object ( [test] => foo2 ) )

Actual result:
--------------
[parent] => foo2

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-09-20 15:16 UTC] bixuehujin at gmail dot com

Had a test on commit @8f146c2(https://github.com/php/php-src/commit/8f146c2bb0dcba3307f08a839554be056e660f34), segfault occurred.

[2013-10-04 14:09 UTC] mike@php.net

-Status: Open +Status: Not a bug

[2013-10-04 14:09 UTC] mike@php.net

We have a recursive context for Serializable, thus if you unserialize unrelated strings in the unserialize callback, you literally throw bricks into the stream.

[2013-10-05 15:53 UTC] niko dot sams at gmail dot com

Ok, if this is not a bug which workaround do you suggest?

In my use case the unserialize method tiggers access to a config object which is cached and lazily loaded. So it can happen that loading the config is triggered inside unserialize.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 15:00:01 2025 UTC