php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #73258 SplObjectStorage unserialize allows use of non-object as key
Submitted: 2016-10-06 13:39 UTC Modified: 2016-10-13 10:37 UTC
From: yannayl at checkpoint dot com Assigned: stas (profile)
Status: Closed Package: SPL related
PHP Version: 7.0.11 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yannayl at checkpoint dot com
New email:
PHP Version: OS:

 

 [2016-10-06 13:39 UTC] yannayl at checkpoint dot com 
Description:
------------
SplObjectStorage::unserialize does not sanitize the unserialized input well enough and may pass reference to object as key in the object storage.

lines 801-809 in ext/spl/spl_observer.c unserialize the entry and verify that it's of type IS_OBJECT

```
        if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
            goto outexcept;
        }
        if (Z_TYPE(entry) != IS_OBJECT) {
            zval_ptr_dtor(&entry);
            goto outexcept;
        }
```

Then, in line 812, the following code executes
```
            if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
```

If the parsed string is a reference (R:) to the entry zval, then the php_var_unserialize_internal() function will convert the entry to zval of type IS_REFERENCE (reference to the object).

Technically, this is a type-confusion, but I don't think it's (remotely) exploitable. I am reporting it as `security` just to be safe.

Test script:
---------------
<?php
$x = unserialize('a:2:{i:0;O:8:"stdclass":0:{}i:1;C:16:"SplObjectStorage":24:{x:i:1;r:2;,R:5;;m:a:0:{}}}');

if ($x[1]->contains($x[0])) {
    echo "expected\n";
} else {
    echo "unexpected\n";
}


Expected result:
----------------
"expected" should be printed.

Actual result:
--------------
"unexpected" is printed.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-07 04:54 UTC] yannayl at checkpoint dot com 
Note: the test script may trigger bug #73257, which is a security issue. So please don't make this bug public before fixing #73527.
 [2016-10-11 05:56 UTC] stas@php.net
-PHP Version: 7.1Git-2016-10-06 (Git) +PHP Version: 7.0.11
 [2016-10-11 05:56 UTC] stas@php.net 
The fix is in security repo as 61cdd1255d5b9c8453be71aacbbf682796ac77d4 and in https://gist.github.com/878035c897be04617d38f15449b59797

please verify
 [2016-10-11 05:57 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-10-11 23:52 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-11 23:53 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-11 23:53 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-10-12 14:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-13 10:37 UTC] yannayl at checkpoint dot com 
Looks good
 [2016-10-14 01:02 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f901dce57548cf1ef63578966ee16fa11509adcf
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=61cdd1255d5b9c8453be71aacbbf682796ac77d4
Log: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Mar 31 07:01:29 2025 UTC