php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #61255 Unserialize should handle incorrect or missing string-length
Submitted: 2012-03-02 22:26 UTC Modified: 2012-03-03 10:39 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mi+php at aldan dot algebra dot com Assigned:
Status: Wont fix Package: *Data Exchange functions
PHP Version: 5.3.10 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mi+php at aldan dot algebra dot com
New email:
PHP Version: OS:

 

 [2012-03-02 22:26 UTC] mi+php at aldan dot algebra dot com 
Description:
------------
A serializing string "foo" produces an intuitive result 's:3:"foo"' and unserialize() properly decodes that back.

It would be useful, however, if the unserialize function could handle (even if less efficiently) cases, where the string-length is missing or even specified incorrectly. Currently any such mismatches result in empty output from the function, even though `s:"foo"' or `s::"foo"' or even `s:4:"foo"' is no harder to understand.

The feature would be of help to those of us, who need to a massive search/replace in the dump of serialized objects.

Test script:
---------------
<?
$s1 = "s:7:\"1234567\"";
$s2 = "s:6:\"1234567\"";
$s3 = "s:8:\"1234567\"";
$s4 = "s::\"1234567\"";

print "S1: >" . unserialize($s1) . "<\n";
print "S2: >" . unserialize($s2) . "<\n";
print "S3: >" . unserialize($s3) . "<\n";
print "S4: >" . unserialize($s4) . "<\n";
?>


Expected result:
----------------
S1: >1234567<
S2: >1234567<
S3: >1234567<
S4: >1234567<


Actual result:
--------------
S1: >1234567<
S2: ><
S3: ><
S4: ><

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-03 00:45 UTC] anon at anon dot anon 
It depends on the lengths because the strings aren't escaped. serialize('"') = s:1:""";
 [2012-03-03 04:18 UTC] mi+php at aldan dot algebra dot com 
If the length is what's driving the parsing, then why are the strings S2 and S3 empty in my test? Shouldn't S2 be '123456' and S3 be '1234567"'?
 [2012-03-03 10:39 UTC] cataphract@php.net
-Status: Open +Status: Wont fix
 [2012-03-03 10:39 UTC] cataphract@php.net 
As mentioned, " is not escaped, making the length required. This is not even considering whether it would be a good idea to otherwise make unserialize lax.

You are of course free to write your own serialization/unserialization library, like igbinary.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 10:01:28 2024 UTC