php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69761 Serialization of anonymous classes should be prevented
Submitted: 2015-06-05 17:19 UTC Modified: 2015-06-06 01:56 UTC
From: mhujer at gmail dot com Assigned: krakjoe
Status: Closed Package: *General Issues
PHP Version: master-Git-2015-06-05 (snap) OS: Windows 8/Linux
Private report: No CVE-ID:
 [2015-06-05 17:19 UTC] mhujer at gmail dot com
Description:
------------
According to the Anonymous classes RFC (https://wiki.php.net/rfc/anonymous_classes), it should not be possible to serialize them ("Serialization is not supported, and will error just as anonymous functions do.").

But it is possible to serialize them in latest snapshot (Windows) or in 3v4l.org http://3v4l.org/tIEp7 - but the unserialization fails.

When I try to serialize Closure, exception with "Serialization of 'Closure' is not allowed" is thrown.

Test script:
---------------
<?php
$instance = new class('foo') {
    public function __construct($i) {
        var_dump($i);
    }
};
var_dump($instance);
var_dump(serialize($instance));
var_dump(unserialize(serialize($instance)));

$a = function ($a) {};
var_dump($a);
var_dump(serialize($a));
var_dump(unserialize(serialize($a)));



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-06 01:56 UTC] laruence@php.net
-Assigned To: +Assigned To: krakjoe
 [2015-06-13 02:54 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d96dda8d49711303d14471ac59ba929892bc532a
Log: Fixed Bug #69761 (Serialization of anonymous classes should be prevented)
 [2015-06-13 02:54 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d96dda8d49711303d14471ac59ba929892bc532a
Log: Fixed Bug #69761 (Serialization of anonymous classes should be prevented)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d96dda8d49711303d14471ac59ba929892bc532a
Log: Fixed Bug #69761 (Serialization of anonymous classes should be prevented)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 08:01:41 2017 UTC