|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-08-07 19:50 UTC] stas@php.net
[2017-08-13 19:40 UTC] cmb@php.net
-Type: Security
+Type: Bug
[2017-08-13 19:40 UTC] cmb@php.net
[2020-12-05 16:21 UTC] cmb@php.net
-Status: Open
+Status: Not a bug
-Assigned To:
+Assigned To: cmb
[2020-12-05 16:21 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 24 19:01:31 2024 UTC |
Description: ------------ PoC 1: ``` class ryat { var $hi; function __wakeup() { echo 'hi'; } function __destruct() { echo $this->hi; } } $array = ['php_class_name'=>'ryat', 'hi'=>'ryat']; wddx_deserialize(wddx_serialize_value($array)); ``` PoC 2: ``` ini_set('session.serialize_handler', 'wddx'); session_start(); $array = ['php_class_name'=>'ryat', 'hi'=>'ryat']; $_SESSION['ryat'] = $array; session_decode(session_encode()); class ryat { var $hi; function __wakeup() { echo 'hi'; } function __destruct() { echo $this->hi; } } ``` Fix: ``` static void php_wddx_serialize_array(wddx_packet *packet, zval *arr) { ... if (is_struct) { ent_type = zend_hash_get_current_key_ex(target_hash, &key, &key_len, &idx, 0, NULL); if (ent_type == HASH_KEY_IS_STRING) { + if (!strcmp(key, PHP_CLASS_NAME_VAR)) { + continue; + } php_wddx_serialize_var(packet, *ent, key, key_len TSRMLS_CC); ```