PHP :: Bug #55303 :: zend_class_unserialize

Bug #55303	zend_class_unserialize_deny does not work
Submitted:	2011-07-27 19:00 UTC	Modified:	2016-07-26 22:57 UTC
From:	gopalv@php.net	Assigned:	nikic (profile)
Status:	Closed	Package:	Class/Object related
PHP Version:	trunk-SVN-2011-07-27 (SVN)	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	gopalv@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2011-07-27 19:00 UTC] gopalv@php.net

Description:
------------
Disabling unserialize() for a class does not work when object_common1 is hit

In pecl/hidef trunk right now FrozenArray is marked with zend_class_unserialize_deny 

+    ce.serialize = zend_class_serialize_deny;
+    ce.unserialize = zend_class_unserialize_deny;

http://svn.php.net/viewvc/pecl/hidef/trunk/frozenarray.c?r1=311588&r2=313761

But the following code still fails to throw an exception (with hidef installed)

I traced the code to 

#0  frozen_array_new (ce=0xe34790) at /home/gopalv/apc_debug/hidef54/frozenarray.c:185
#1  0x00000000006a035b in _object_and_properties_init (arg=0x7ffff7fc8a38, class_type=0xe34790, properties=0x0) at /home/gopalv/apc_debug/PHP_5_4/Zend/zend_API.c:1122
#2  0x0000000000621b87 in object_common1 (rval=<value optimized out>, p=<value optimized out>, max=<value optimized out>, var_hash=<value optimized out>, ce=0xe34790) at ext/standard/var_unserializer.re:371
#3  0x0000000000622b9e in php_var_unserialize (rval=0x7fffffffb828, p=0x7fffffffb838, max=0x7ffff7eb8203 "", var_hash=0x7fffffffb830) at ext/standard/var_unserializer.re:717
#4  0x000000000060dd03 in zif_unserialize (ht=<value optimized out>, return_value=0x7ffff7fc8a38, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /home/gopalv/apc_debug/PHP_5_4/ext/standard/var.c:942


Test script:
---------------
<?php

$s='O:11:"FrozenArray":3:{i:1;s:3:"xyz";i:2;s:3:"abc";i:0;s:5:"hello";}'; 

$a = unserialize($s);

print_r($a);


Expected result:
----------------
Fatal error: Uncaught exception 'Exception' with message 'Unserialization of 'FrozenArray' is not allowed' 


Actual result:
--------------
FrozenArray Object
(
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-07-27 23:58 UTC] cataphract@php.net

-Status: Open +Status: Verified

[2011-07-27 23:58 UTC] cataphract@php.net

An example with a built-in function:

<?php
$c = unserialize('O:7:"Closure":0:{}');
var_dump($c);^D
object(Closure)#1 (0) {
}

ce.unserialize is not called if the serialized data doesn't indicate it's a "custom object".

[2016-07-26 22:57 UTC] nikic@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic

[2016-07-26 22:57 UTC] nikic@php.net

This has been fixed in 5.5.13: https://3v4l.org/LEhlX

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 13:01:30 2024 UTC