PHP :: Bug #74687 :: __wakeup called for nested serialized object after Serializable::unserialize

Bug #74687	__wakeup called for nested serialized object after Serializable::unserialize
Submitted:	2017-06-01 09:55 UTC	Modified:	2017-06-01 14:43 UTC
From:	taco at procurios dot nl	Assigned:
Status:	Duplicate	Package:	Unknown/Other Function
PHP Version:	5.6.30	OS:	linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	taco at procurios dot nl
New email:
PHP Version:		OS:

New Comment:

[2017-06-01 09:55 UTC] taco at procurios dot nl

Description:
------------
When an object is unserialized within the unserialize method of a Serializable implementation, its __wakeup method will be called _after_ the unserialize call is finished, making the object invalid during the unserialize call.

Most likely (based on the changelogs of the first affected php versions) this behaviour was introduced by the fix for this bug: https://bugs.php.net/bug.php?id=70213

Test script:
---------------
Problem: https://3v4l.org/MlbuO
.phpt file: https://gist.githubusercontent.com/tacovandenbroek/0ed29d1a449c57dfb4335d1ec4b00cae/raw/42fdc427521969f0affe719cf84f829098824ba0/php%20__wakeup%20bug.phpt

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-06-01 10:02 UTC] nikic@php.net

-Status: Open +Status: Duplicate

[2017-06-01 10:02 UTC] nikic@php.net

Duplicate of bug #74436. TL;DR is that this is an intentional change due to a security fix. We haven't found a way to address both the security issues this fixes and preserve the existing behavior.

[2017-06-01 12:41 UTC] taco at procurios dot nl

Reading the comments of #70213 it seems that the security issue was fixed in another bug fix. Is #70213 really a security fix or should it be reviewed more closely? In practice the current change in behavior makes it impossible to use the __wakeup method, since (in large projects and/or frameworks) there is no way to tell whether or not an object will be unserialized within a unserialize method.

[2017-06-01 14:43 UTC] nikic@php.net

Sorry for being unclear, I was not referring to the bug report you linked. The directly relevant issues are bug #69425, bug #73092 and bug #72731, though this essentially fixes the entire class of wakeup-based unserialize attacks, for which we have dozens of security bug reports.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 07:01:29 2024 UTC