php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75965 DateTimeZone object has not been correctly initialized after unserialization
Submitted: 2018-02-15 14:33 UTC Modified: 2020-12-07 13:03 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: ivan at podorozhny dot ru Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 7.1.14 OS: Ubuntu 16.04.3 LTS 4.4.0-28-gene
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ivan at podorozhny dot ru
New email:
PHP Version: OS:

 

 [2018-02-15 14:33 UTC] ivan at podorozhny dot ru 
Description:
------------


PHP 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 (cli) (built: Jun  9 2017 08:26:34) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.1.6-1~ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2017, by Zend Technologies
    with Xdebug v2.5.5, Copyright (c) 2002-2017, by Derick Rethans

Test script:
---------------
class Foobar implements \Serializable
{
    /** @return string */
    public function serialize(): string
    {
        return serialize(new \DateTimeZone('Europe/Andorra'));
    }

    /** @param string $serialized */
    public function unserialize($serialized)
    {
        var_dump($serialized);
        var_dump(unserialize($serialized)->getName());
    }
}

(new Foobar())->unserialize((new Foobar())->serialize());
var_dump(unserialize(serialize(new Foobar())));

Expected result:
----------------
The DateTimeZone object correct initialization

Actual result:
--------------
/tmp/test.php:14:
string(86) "O:12:"DateTimeZone":2:{s:13:"timezone_type";i:3;s:8:"timezone";s:14:"Europe/Andorra";}"
/tmp/test.php:15:
string(14) "Europe/Andorra"
/tmp/test.php:14:
string(86) "O:12:"DateTimeZone":2:{s:13:"timezone_type";i:3;s:8:"timezone";s:14:"Europe/Andorra";}"
PHP Warning:  DateTimeZone::getName(): The DateTimeZone object has not been correctly initialized by its constructor in /tmp/test.php on line 15
PHP Stack trace:
PHP   1. {main}() /tmp/test.php:0
PHP   2. unserialize() /tmp/test.php:20
PHP   3. Foobar->unserialize() /tmp/test.php:20
PHP   4. DateTimeZone->getName() /tmp/test.php:15
/tmp/test.php:15:
bool(false)
/tmp/test.php:20:
class Foobar#1 (0) {
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-07 12:27 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Scripting Engine problem
 [2020-12-07 12:27 UTC] cmb@php.net 
That looks indeed broken: <https://3v4l.org/QEdfQ>.  May have been
caused by one of the sec fixes in PHP 7.1.1[1].

[1] <https://www.php.net/ChangeLog-7.php#7.1.1>
 [2020-12-07 13:03 UTC] nikic@php.net
-Status: Verified +Status: Wont fix
 [2020-12-07 13:03 UTC] nikic@php.net 
See https://wiki.php.net/rfc/custom_object_serialization:

> This leaves us in a situation where Serializable::unserialize() is called immediately, while __wakeup() is delayed. As such, the former method sees objects before they have been fully unserialized. For example, this makes using DateTime objects within Serializable::unserialize() unsafe, as they will not be fully initialized yet. 

This bug is unfixable, which is part of why Serializable is being phased out. You can avoid it by not using Serializable.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 22:01:31 2024 UTC