PHP :: Bug #81151 :: bypass _

Bug #81151

bypass __wakeup

Submitted:

2021-06-17 05:21 UTC

Modified:

2021-06-17 11:39 UTC

Votes:	15
Avg. Score:	3.3 ± 1.1
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

j7ur8 at qq dot com

Assigned:

Status:

Open

Package:

Class/Object related

PHP Version:

7.3.28

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	j7ur8 at qq dot com
New email:
PHP Version:		OS:

New Comment:

[2021-06-17 05:21 UTC] j7ur8 at qq dot com

Description:
------------
use `C:` to bypass __wakeup.

Test script:
---------------
// https://3v4l.org/YAje0
<?php
class E  {
	public function __construct(){

	}

	public function __destruct(){
		echo "destruct";
	}

	public function __wakeup(){
		echo "wake up";
	}
}

var_dump(unserialize('C:1:"E":0:{}'));

Expected result:
----------------
For `class E` don't implements Serializable, maybe unserialize should return an Error.

Actual result:
--------------
Warning: Class E has no unserializer in /in/YAje0 on line 17
object(E)#1 (0) {
}
destruct

/*
In my understand, "C:" means a class implements Serializable, and it don't suport  __wakeup. At here, class E doesn't implements Serializable, and __wakeup ineffective, __destruct works. Should it be? i don't know.

*/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-06-17 05:24 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-06-17 05:24 UTC] stas@php.net

__wakeup is not a security feature, so it's not a security issue.

[2021-06-17 11:39 UTC] cmb@php.net

Promoting this warning to an Exception makes some sense to me, but
would constitute a BC break, and given that the C format is
obsolete[1], it might be best to stick with the warning.

[1] <https://wiki.php.net/rfc/phase_out_serializable>

[2023-08-24 09:28 UTC] fwrcferfr at gmail dot com

Thanks for the information.  (https://github.com)(https://www.telltims.net)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 17:01:32 2024 UTC