php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71940 Unserialize crushes on restore object reference
Submitted: 2016-04-01 11:18 UTC Modified: 2016-04-07 13:10 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: oparkhomenko at magecore dot com Assigned:
Status: Closed Package: Class/Object related
PHP Version: 7.0Git-2016-04-01 (Git) OS: Debian
Private report: No CVE-ID:
 [2016-04-01 11:18 UTC] oparkhomenko at magecore dot com
Description:
------------
The PHP version 7.0.0 and over can't restore object that was serialized as reference.

Test script:
---------------
<?php

class Identity
{
    private $role;

    public function __construct($role)
    {
        $this->role = $role;
    }
}

class Entry implements \Serializable
{
    private $identity;

    public function __construct(Identity $identity)
    {
        $this->identity = $identity;
    }

    public function serialize()
    {
        return serialize(array($this->identity));
    }

    public function unserialize($serialized)
    {
        list($this->identity) = unserialize($serialized);
    }
}

$identity = new Identity('test');
$identityRef = &$identity;

$entry1 = new Entry($identity);
$entry2 = new Entry($identityRef);

$serialized = serialize([$entry1, $entry2]);
print_r(unserialize($serialized));

?>

Expected result:
----------------
Array
(
    [0] => Entry Object
        (
            [identity:Entry:private] => Identity Object
                (
                    [role:Identity:private] => test
                )

        )

    [1] => Entry Object
        (
            [identity:Entry:private] => Identity Object
                (
                    [role:Identity:private] => test
                )

        )

)


Actual result:
--------------
PHP Notice:  unserialize(): Error at offset 13 of 14 bytes in /opt/dev/test/Test.php on line 29
PHP Stack trace:
PHP   1. {main}() /opt/dev/test/Test.php:0
PHP   2. unserialize() /opt/dev/test/Test.php:40
PHP   3. Entry->unserialize() /opt/dev/test/Test.php:40
PHP   4. unserialize() /opt/dev/test/Test.php:29
Array
(
    [0] => Entry Object
        (
            [identity:Entry:private] => Identity Object
                (
                    [role:Identity:private] => test
                )

        )

    [1] => Entry Object
        (
            [identity:Entry:private] => 
        )

)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-07 05:58 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7e042224a26282938b866a49ca3d4af1b368c0cc
Log: Fixed bug #71940 (Unserialize crushes on restore object reference)
 [2016-04-07 05:58 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-04-07 13:10 UTC] oparkhomenko at magecore dot com
What stable version will include this fix ?
 [2016-07-20 11:32 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7e042224a26282938b866a49ca3d4af1b368c0cc
Log: Fixed bug #71940 (Unserialize crushes on restore object reference)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 18:01:35 2017 UTC