|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74687 __wakeup called for nested serialized object after Serializable::unserialize
Submitted: 2017-06-01 09:55 UTC Modified: 2017-06-01 14:43 UTC
From: taco at procurios dot nl Assigned:
Status: Duplicate Package: Unknown/Other Function
PHP Version: 5.6.30 OS: linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: taco at procurios dot nl
New email:
PHP Version: OS:


 [2017-06-01 09:55 UTC] taco at procurios dot nl
When an object is unserialized within the unserialize method of a Serializable implementation, its __wakeup method will be called _after_ the unserialize call is finished, making the object invalid during the unserialize call.

Most likely (based on the changelogs of the first affected php versions) this behaviour was introduced by the fix for this bug:

Test script:
.phpt file:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-01 10:02 UTC]
-Status: Open +Status: Duplicate
 [2017-06-01 10:02 UTC]
Duplicate of bug #74436. TL;DR is that this is an intentional change due to a security fix. We haven't found a way to address both the security issues this fixes and preserve the existing behavior.
 [2017-06-01 12:41 UTC] taco at procurios dot nl
Reading the comments of #70213 it seems that the security issue was fixed in another bug fix. Is #70213 really a security fix or should it be reviewed more closely? In practice the current change in behavior makes it impossible to use the __wakeup method, since (in large projects and/or frameworks) there is no way to tell whether or not an object will be unserialized within a unserialize method.
 [2017-06-01 14:43 UTC]
Sorry for being unclear, I was not referring to the bug report you linked. The directly relevant issues are bug #69425, bug #73092 and bug #72731, though this essentially fixes the entire class of wakeup-based unserialize attacks, for which we have dozens of security bug reports.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Aug 07 16:01:25 2020 UTC