PHP :: Bug #71840 :: Unserialize accepts wrongly data

Bug #71840	Unserialize accepts wrongly data
Submitted:	2016-03-17 04:27 UTC	Modified:	2016-03-17 07:14 UTC
From:	laruence@php.net	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-03-17 04:27 UTC] laruence@php.net

Description:
------------
This is part of the bug #71824  which is spotted by nikic

"
var_dump(unserialize('a:1:{s:0:""0a:0:{}}'));
                                 ^-- wrong

does not fail. That 0 should be a semicolon. We should not be accepting this string.

"

Test script:
---------------
var_dump(unserialize('a:1:{s:0:""0a:0:{}}'));

Expected result:
----------------
not accepted

Actual result:
--------------
accepted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-17 05:15 UTC] ryat@php.net

https://bugs.php.net/bug.php?id=70638

[2016-03-17 07:29 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6f241f5fad3a26810c96d5b634bfbceaeac10176
Log: Fixed bug #71840 (Unserialize accepts wrongly data)

[2016-03-17 07:29 UTC] laruence@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 22 00:01:30 2024 UTC