PHP :: Bug #67072 :: Echoing unserialized "SplFileObject" crash

Bug #67072

Echoing unserialized "SplFileObject" crash

Submitted:

2014-04-14 04:22 UTC

Modified:

2014-06-19 23:54 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

arteau dot olivier at gmail dot com

Assigned:

ab (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.5.11

OS:

Windows / Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	arteau dot olivier at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2014-04-14 04:22 UTC] arteau dot olivier at gmail dot com

Description:
------------
Executing the script below crashes PHP.

Some quick debugging on my part seems to point to a NULL dereference bug in the spl related code. However, since I was debugging from the binary it's hard to tell where exactly in the code it is.

Test script:
---------------
<?php
   echo unserialize('O:13:"SplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');
?>

Expected result:
----------------
Since "SplFileObject" aren't serializable, an exception should be thrown or bool(false) should be returned.

Actual result:
--------------
PHP crash.

Patches

Maschkrsm5138 (last revision 2014-07-27 08:09 UTC by omarguerrero2079 at gmail dot com)

Pull Requests

Pull requests:

loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor() (php-src/733)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-04-16 14:02 UTC] ab@php.net

-Assigned To: +Assigned To: ab

[2014-04-17 09:10 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash

[2014-04-17 09:10 UTC] ab@php.net

-Status: Assigned +Status: Closed

[2014-04-20 18:38 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash

[2014-04-20 18:39 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash

[2014-05-01 14:59 UTC] tyrael@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash

[2014-06-19 23:54 UTC] tyrael@php.net

The fix for this issue caused some BC breaks in the userland, because some popular libs like phpunit-mock-objects and doctrine are using handcrafter serialize strings for easy instantiation of object without calling the constructors.
For that usecase ReflectionClass::newInstanceWithoutConstructor() should be used instead, but that requires PHP >= 5.4 and also prohibits instantiation of internal classes, or userland classes extending internal classes.
For instantiation of classes implementing the Serializable interface the "C:" format should be used instead of the "O:", as it will properly call the unserialize method defined for that class, but manually building valid strings for that format is a bit harder, see https://bugs.php.net/bug.php?id=67453&edit=1

For the discussion about the Unserialize trick and the constructless instanitation of internal classes see:
http://www.serverphorums.com/read.php?7,927788
http://www.serverphorums.com/read.php?7,946926
http://www.serverphorums.com/read.php?7,959450

[2014-10-07 23:15 UTC] stas@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash

[2014-10-07 23:26 UTC] stas@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=5328d4289946e260232f3195ba2e0f0eb173d5ef
Log: Fixed bug #67072 Echoing unserialized &quot;SplFileObject&quot; crash

[2018-07-10 16:33 UTC] cmb@php.net

Related To: Bug #76606

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC