php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55303 zend_class_unserialize_deny does not work
Submitted: 2011-07-27 19:00 UTC Modified: 2016-07-26 22:57 UTC
From: gopalv@php.net Assigned: nikic (profile)
Status: Closed Package: Class/Object related
PHP Version: trunk-SVN-2011-07-27 (SVN) OS: Linux
Private report: No CVE-ID: None
 [2011-07-27 19:00 UTC] gopalv@php.net
Description:
------------
Disabling unserialize() for a class does not work when object_common1 is hit

In pecl/hidef trunk right now FrozenArray is marked with zend_class_unserialize_deny 

+    ce.serialize = zend_class_serialize_deny;
+    ce.unserialize = zend_class_unserialize_deny;

http://svn.php.net/viewvc/pecl/hidef/trunk/frozenarray.c?r1=311588&r2=313761

But the following code still fails to throw an exception (with hidef installed)

I traced the code to 

#0  frozen_array_new (ce=0xe34790) at /home/gopalv/apc_debug/hidef54/frozenarray.c:185
#1  0x00000000006a035b in _object_and_properties_init (arg=0x7ffff7fc8a38, class_type=0xe34790, properties=0x0) at /home/gopalv/apc_debug/PHP_5_4/Zend/zend_API.c:1122
#2  0x0000000000621b87 in object_common1 (rval=<value optimized out>, p=<value optimized out>, max=<value optimized out>, var_hash=<value optimized out>, ce=0xe34790) at ext/standard/var_unserializer.re:371
#3  0x0000000000622b9e in php_var_unserialize (rval=0x7fffffffb828, p=0x7fffffffb838, max=0x7ffff7eb8203 "", var_hash=0x7fffffffb830) at ext/standard/var_unserializer.re:717
#4  0x000000000060dd03 in zif_unserialize (ht=<value optimized out>, return_value=0x7ffff7fc8a38, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /home/gopalv/apc_debug/PHP_5_4/ext/standard/var.c:942


Test script:
---------------
<?php

$s='O:11:"FrozenArray":3:{i:1;s:3:"xyz";i:2;s:3:"abc";i:0;s:5:"hello";}'; 

$a = unserialize($s);

print_r($a);


Expected result:
----------------
Fatal error: Uncaught exception 'Exception' with message 'Unserialization of 'FrozenArray' is not allowed' 


Actual result:
--------------
FrozenArray Object
(
)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-27 23:58 UTC] cataphract@php.net
-Status: Open +Status: Verified
 [2011-07-27 23:58 UTC] cataphract@php.net
An example with a built-in function:

<?php
$c = unserialize('O:7:"Closure":0:{}');
var_dump($c);^D
object(Closure)#1 (0) {
}

ce.unserialize is not called if the serialized data doesn't indicate it's a "custom object".
 [2016-07-26 22:57 UTC] nikic@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic
 [2016-07-26 22:57 UTC] nikic@php.net
This has been fixed in 5.5.13: https://3v4l.org/LEhlX
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 00:01:30 2024 UTC