|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75965 DateTimeZone object has not been correctly initialized after unserialization
Submitted: 2018-02-15 14:33 UTC Modified: 2020-12-07 13:03 UTC
Avg. Score:4.2 ± 1.0
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: ivan at podorozhny dot ru Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 7.1.14 OS: Ubuntu 16.04.3 LTS 4.4.0-28-gene
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: ivan at podorozhny dot ru
New email:
PHP Version: OS:


 [2018-02-15 14:33 UTC] ivan at podorozhny dot ru

PHP (cli) (built: Jun  9 2017 08:26:34) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache, Copyright (c) 1999-2017, by Zend Technologies
    with Xdebug v2.5.5, Copyright (c) 2002-2017, by Derick Rethans

Test script:
class Foobar implements \Serializable
    /** @return string */
    public function serialize(): string
        return serialize(new \DateTimeZone('Europe/Andorra'));

    /** @param string $serialized */
    public function unserialize($serialized)

(new Foobar())->unserialize((new Foobar())->serialize());
var_dump(unserialize(serialize(new Foobar())));

Expected result:
The DateTimeZone object correct initialization

Actual result:
string(86) "O:12:"DateTimeZone":2:{s:13:"timezone_type";i:3;s:8:"timezone";s:14:"Europe/Andorra";}"
string(14) "Europe/Andorra"
string(86) "O:12:"DateTimeZone":2:{s:13:"timezone_type";i:3;s:8:"timezone";s:14:"Europe/Andorra";}"
PHP Warning:  DateTimeZone::getName(): The DateTimeZone object has not been correctly initialized by its constructor in /tmp/test.php on line 15
PHP Stack trace:
PHP   1. {main}() /tmp/test.php:0
PHP   2. unserialize() /tmp/test.php:20
PHP   3. Foobar->unserialize() /tmp/test.php:20
PHP   4. DateTimeZone->getName() /tmp/test.php:15
class Foobar#1 (0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-07 12:27 UTC]
-Status: Open +Status: Verified -Package: *General Issues +Package: Scripting Engine problem
 [2020-12-07 12:27 UTC]
That looks indeed broken: <>.  May have been
caused by one of the sec fixes in PHP 7.1.1[1].

[1] <>
 [2020-12-07 13:03 UTC]
-Status: Verified +Status: Wont fix
 [2020-12-07 13:03 UTC]

> This leaves us in a situation where Serializable::unserialize() is called immediately, while __wakeup() is delayed. As such, the former method sees objects before they have been fully unserialized. For example, this makes using DateTime objects within Serializable::unserialize() unsafe, as they will not be fully initialized yet. 

This bug is unfixable, which is part of why Serializable is being phased out. You can avoid it by not using Serializable.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue May 17 13:05:45 2022 UTC