php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67072 Echoing unserialized "SplFileObject" crash
Submitted: 2014-04-14 04:22 UTC Modified: 2014-06-19 23:54 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: arteau dot olivier at gmail dot com Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.5.11 OS: Windows / Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: arteau dot olivier at gmail dot com
New email:
PHP Version: OS:

 

 [2014-04-14 04:22 UTC] arteau dot olivier at gmail dot com 
Description:
------------
Executing the script below crashes PHP.

Some quick debugging on my part seems to point to a NULL dereference bug in the spl related code. However, since I was debugging from the binary it's hard to tell where exactly in the code it is.

Test script:
---------------
<?php
   echo unserialize('O:13:"SplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');
?>

Expected result:
----------------
Since "SplFileObject" aren't serializable, an exception should be thrown or bool(false) should be returned.

Actual result:
--------------
PHP crash.

Patches

Maschkrsm5138 (last revision 2014-07-27 08:09 UTC by omarguerrero2079 at gmail dot com)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-16 14:02 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2014-04-17 09:10 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash
 [2014-04-17 09:10 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2014-04-20 18:38 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash
 [2014-04-20 18:39 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash
 [2014-05-01 14:59 UTC] tyrael@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash
 [2014-06-19 23:54 UTC] tyrael@php.net 
The fix for this issue caused some BC breaks in the userland, because some popular libs like phpunit-mock-objects and doctrine are using handcrafter serialize strings for easy instantiation of object without calling the constructors.
For that usecase ReflectionClass::newInstanceWithoutConstructor() should be used instead, but that requires PHP >= 5.4 and also prohibits instantiation of internal classes, or userland classes extending internal classes.
For instantiation of classes implementing the Serializable interface the "C:" format should be used instead of the "O:", as it will properly call the unserialize method defined for that class, but manually building valid strings for that format is a bit harder, see https://bugs.php.net/bug.php?id=67453&edit=1

For the discussion about the Unserialize trick and the constructless instanitation of internal classes see:
http://www.serverphorums.com/read.php?7,927788
http://www.serverphorums.com/read.php?7,946926
http://www.serverphorums.com/read.php?7,959450
 [2014-10-07 23:15 UTC] stas@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash
 [2014-10-07 23:26 UTC] stas@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash
 [2018-07-10 16:33 UTC] cmb@php.net 
Related To: Bug #76606
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 13:00:01 2025 UTC