|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-10 06:19 UTC] stas@php.net
[2016-08-12 06:53 UTC] stas@php.net
-PHP Version: 7.0.9
+PHP Version: 5.6.24
[2016-08-13 19:36 UTC] stas@php.net
-PHP Version: 5.6.24
+PHP Version: 7.0.9
[2016-08-13 20:32 UTC] stas@php.net
[2016-08-14 01:22 UTC] stas@php.net
[2016-08-15 21:49 UTC] nikic@php.net
[2016-09-06 01:23 UTC] stas@php.net
[2016-09-06 02:58 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-09-06 02:58 UTC] stas@php.net
[2016-09-06 02:58 UTC] stas@php.net
-Status: Open
+Status: Closed
[2016-09-06 03:36 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-06 03:36 UTC] stas@php.net
[2016-09-06 11:04 UTC] nikic@php.net
[2016-10-17 10:08 UTC] bwoebi@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 28 19:01:28 2024 UTC |
Description: ------------ When unserialize() is used with the allowed_classes option, the allowed classes are only enforced in the outer-most unserialize call. Nested unserialize() calls in the same serialization context do not enforce allowed classes. In practice this means that if allowed_classes contains any class using C-style serialization, then the restriction becomes ineffective. The test script shows this using ArrayObject. Test script: --------------- <?php // Forbidden class class A {} $p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}'; $s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}'; var_dump(unserialize($s, ['allowed_classes' => 'ArrayObject'])); Expected result: ---------------- object(A) should be an incomplete class instead. Actual result: -------------- object(ArrayObject)#1 (1) { ["storage":"ArrayObject":private]=> array(1) { [0]=> object(A)#2 (0) { } } }