php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #71995 Returning the same var twice from __sleep() produces broken serialized data
Submitted: 2016-04-08 20:05 UTC Modified: 2016-04-09 15:12 UTC
From: jsnell at e-normous dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 7.0.5 OS: Linux
Private report: No CVE-ID:
 [2016-04-08 20:05 UTC] jsnell at e-normous dot com
Description:
------------
If the same member variable is returned twice from __sleep() and that member variable is a reference, the serialized output errors when unserialized.  This "worked" before PHP7 and the error during unserialization appears in PHP 7.0.3 and later.  

Test script:
---------------
<?php

class C { }
class A { public $b; function __construct() { $this->b = new C(); }  function __sleep() {  return array("b", "b"); } }
$a = new A();
var_dump(unserialize(serialize($a)));

Expected result:
----------------
Notice: member variable "b" returned from __sleep() multiple times
or alternately, silently ignore the duplication.


Actual result:
--------------
Notice: unserialize(): Error at offset 43 of 44 bytes in /in/0FNkge on line 6
bool(false)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-09 09:35 UTC] krakjoe@php.net
-Status: Open +Status: Verified
 [2016-04-09 17:02 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5db4d9a71c1510921f1d5514d1e1d4bf53200eae
Log: Fixed bug #71995 (Returning the same var twice from __sleep() produces broken serialized data)
 [2016-04-09 17:02 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2016-07-20 11:32 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5db4d9a71c1510921f1d5514d1e1d4bf53200eae
Log: Fixed bug #71995 (Returning the same var twice from __sleep() produces broken serialized data)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 22:01:35 2017 UTC