php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65724 unserialize doesn't always restore referenced objects
Submitted: 2013-09-20 12:34 UTC Modified: 2013-10-05 15:53 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: niko dot sams at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.5.4 OS: Linux
Private report: No CVE-ID: None
 [2013-09-20 12:34 UTC] niko dot sams at gmail dot com
Description:
------------
when doing another unserialize that creates objects in an 
Serializable::unserialize implementation things break, the 'parent' isn't 
unserialized correctly.

ok: PHP 5.3.3-7+squeeze14
ok: PHP 5.3.10-1ubuntu3.6
fail: PHP 5.4.4-14+deb7u2
fail: PHP 5.5.3

See phpt test script:
http://paste.kde.org/p83ce39d0/

Test script:
---------------
class Bar {}
class Foo implements Serializable {
    public $test;
    public function __construct($test) { $this->test = $test; }
    public function serialize()
    {
        return $this->test;
    }
    public function unserialize($serialized)
    {
        //the following line causes problems
        unserialize('O:3:"Bar":1:{s:4:"bar1";O:3:"Bar":0:{}}');
        $this->test = $serialized;
    }
}
$foo1 = new Foo('foo1');
$foo2 = new Foo('foo2');
$foo3 = new Foo('foo3');
$ar = array(
    array(
        'instance' => $foo1,
    ),
    array(
        'instance' => $foo2,
    ),
    array(
        'instance' => $foo3,
        'parent' => $foo2
    )
);
$ar = serialize($ar);
$ar = unserialize($ar);
print_r($ar);

Expected result:
----------------
[parent] => Foo Object ( [test] => foo2 ) )

Actual result:
--------------
[parent] => foo2

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-09-20 15:16 UTC] bixuehujin at gmail dot com
Had a test on commit @8f146c2(https://github.com/php/php-src/commit/8f146c2bb0dcba3307f08a839554be056e660f34), segfault occurred.
 [2013-10-04 14:09 UTC] mike@php.net
-Status: Open +Status: Not a bug
 [2013-10-04 14:09 UTC] mike@php.net
We have a recursive context for Serializable, thus if you unserialize unrelated strings in the unserialize callback, you literally throw bricks into the stream.
 [2013-10-05 15:53 UTC] niko dot sams at gmail dot com
Ok, if this is not a bug which workaround do you suggest?

In my use case the unserialize method tiggers access to a config object which is cached and lazily loaded. So it can happen that loading the config is triggered inside unserialize.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Aug 05 10:01:24 2021 UTC