|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55303 zend_class_unserialize_deny does not work
Submitted: 2011-07-27 19:00 UTC Modified: 2016-07-26 22:57 UTC
From: Assigned: nikic (profile)
Status: Closed Package: Class/Object related
PHP Version: trunk-SVN-2011-07-27 (SVN) OS: Linux
Private report: No CVE-ID: None
 [2011-07-27 19:00 UTC]
Disabling unserialize() for a class does not work when object_common1 is hit

In pecl/hidef trunk right now FrozenArray is marked with zend_class_unserialize_deny 

+    ce.serialize = zend_class_serialize_deny;
+    ce.unserialize = zend_class_unserialize_deny;

But the following code still fails to throw an exception (with hidef installed)

I traced the code to 

#0  frozen_array_new (ce=0xe34790) at /home/gopalv/apc_debug/hidef54/frozenarray.c:185
#1  0x00000000006a035b in _object_and_properties_init (arg=0x7ffff7fc8a38, class_type=0xe34790, properties=0x0) at /home/gopalv/apc_debug/PHP_5_4/Zend/zend_API.c:1122
#2  0x0000000000621b87 in object_common1 (rval=<value optimized out>, p=<value optimized out>, max=<value optimized out>, var_hash=<value optimized out>, ce=0xe34790) at ext/standard/
#3  0x0000000000622b9e in php_var_unserialize (rval=0x7fffffffb828, p=0x7fffffffb838, max=0x7ffff7eb8203 "", var_hash=0x7fffffffb830) at ext/standard/
#4  0x000000000060dd03 in zif_unserialize (ht=<value optimized out>, return_value=0x7ffff7fc8a38, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /home/gopalv/apc_debug/PHP_5_4/ext/standard/var.c:942

Test script:


$a = unserialize($s);


Expected result:
Fatal error: Uncaught exception 'Exception' with message 'Unserialization of 'FrozenArray' is not allowed' 

Actual result:
FrozenArray Object


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-27 23:58 UTC]
-Status: Open +Status: Verified
 [2011-07-27 23:58 UTC]
An example with a built-in function:

$c = unserialize('O:7:"Closure":0:{}');
object(Closure)#1 (0) {

ce.unserialize is not called if the serialized data doesn't indicate it's a "custom object".
 [2016-07-26 22:57 UTC]
-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic
 [2016-07-26 22:57 UTC]
This has been fixed in 5.5.13:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 26 11:01:32 2024 UTC