php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74687 __wakeup called for nested serialized object after Serializable::unserialize
Submitted: 2017-06-01 09:55 UTC Modified: 2017-06-01 14:43 UTC
From: taco at procurios dot nl Assigned:
Status: Duplicate Package: Unknown/Other Function
PHP Version: 5.6.30 OS: linux
Private report: No CVE-ID: None
 [2017-06-01 09:55 UTC] taco at procurios dot nl
Description:
------------
When an object is unserialized within the unserialize method of a Serializable implementation, its __wakeup method will be called _after_ the unserialize call is finished, making the object invalid during the unserialize call.

Most likely (based on the changelogs of the first affected php versions) this behaviour was introduced by the fix for this bug: https://bugs.php.net/bug.php?id=70213

Test script:
---------------
Problem: https://3v4l.org/MlbuO
.phpt file: https://gist.githubusercontent.com/tacovandenbroek/0ed29d1a449c57dfb4335d1ec4b00cae/raw/42fdc427521969f0affe719cf84f829098824ba0/php%20__wakeup%20bug.phpt


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-01 10:02 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-06-01 10:02 UTC] nikic@php.net
Duplicate of bug #74436. TL;DR is that this is an intentional change due to a security fix. We haven't found a way to address both the security issues this fixes and preserve the existing behavior.
 [2017-06-01 12:41 UTC] taco at procurios dot nl
Reading the comments of #70213 it seems that the security issue was fixed in another bug fix. Is #70213 really a security fix or should it be reviewed more closely? In practice the current change in behavior makes it impossible to use the __wakeup method, since (in large projects and/or frameworks) there is no way to tell whether or not an object will be unserialized within a unserialize method.
 [2017-06-01 14:43 UTC] nikic@php.net
Sorry for being unclear, I was not referring to the bug report you linked. The directly relevant issues are bug #69425, bug #73092 and bug #72731, though this essentially fixes the entire class of wakeup-based unserialize attacks, for which we have dozens of security bug reports.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Jul 22 12:07:09 2018 UTC