php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72178 unserialize regression in 5.6.21 and 7.0.6
Submitted: 2016-05-09 13:59 UTC Modified: 2016-05-10 16:28 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: bc at benjamin-cremer dot de Assigned: laruence (profile)
Status: Not a bug Package: *General Issues
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bc at benjamin-cremer dot de
New email:
PHP Version: OS:

 

 [2016-05-09 13:59 UTC] bc at benjamin-cremer dot de
Description:
------------
When using `unserialize()` on a serialized string missing the trailing semicolon a notice will be triggered and `false` will be returned. 

This is a backwards compatibility break introduced in 5.6.21 and 7.0.6.

Test script:
---------------
var_dump(unserialize('s:4:"test"'));

Expected result:
----------------
string(4) "test"

Actual result:
--------------
PHP Notice:  unserialize(): Error at offset 10 of 10 bytes in php shell code on line 1
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-09 14:29 UTC] bc at benjamin-cremer dot de
See: https://3v4l.org/qTJ8g
 [2016-05-09 14:32 UTC] bc at benjamin-cremer dot de
Relates to: https://bugs.php.net/bug.php?id=71840
 [2016-05-10 01:23 UTC] yohgaki@php.net
-Assigned To: +Assigned To: laruence
 [2016-05-10 05:25 UTC] laruence@php.net
the problem here is, how such a serialized string was generated?

every bug fix has side affect.
 [2016-05-10 05:45 UTC] bc at benjamin-cremer dot de
In our case the faulty serialized strings were generated by hand and were used as fixtures, see: https://github.com/shopware/shopware/blob/5.1/_sql/migrations/414-add-product-box-layout.php#L23

We fixed the faulty fixtures in the meantime but this bug affected quite a few customers.
 [2016-05-10 07:27 UTC] sjon at hortensius dot net
I agree with laruence, this is not a bug. The offending code should perform $value = serialize("basic"); dynamically instead of hardcoding its output.
 [2016-05-10 16:28 UTC] ab@php.net
-Status: Assigned +Status: Not a bug
 [2016-05-10 16:28 UTC] ab@php.net
Hi, thanks for the report. It is a certain BC breach, yes. However the string reported is not something that serialize() would produce. The related crash bugfix clearly outweighs the fact, that some invalid data can't be parsed anymore. Thus, not a bug.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 04:01:29 2024 UTC