php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76632 Nested serialize() with shared references yields wrong unserialization
Submitted: 2018-07-16 12:43 UTC Modified: 2020-04-20 15:05 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: niklas dot correnz at hcom dot de Assigned: cmb (profile)
Status: Wont fix Package: *General Issues
PHP Version: 7.1.19 OS: Ubuntu 16.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-07-16 12:43 UTC] niklas dot correnz at hcom dot de
Description:
------------
When implementing \Serializable a nested serialize() call will cause the unserialized() result to be messed up.

Nested serialize() calls often occur when extending classes and overwriting serialize with additional fields, so this is not unusual. Our test script simulates this by nesting serialize().

The result still break, if the array with the referenced objects is not inside the nested serialize(), but instead any additional property is serialized with a nested call (not in the test script).

Test script:
---------------
$role1 = new \stdClass();
$role1->name = 'role1';
$role2 = new \stdClass();
$role2->name = 'role2';
class group implements \Serializable {
  private $roles;
  public function __construct(array $roles) {
    $this->roles = $roles;
  }
  public function serialize() {
    return serialize([serialize($this->roles)]);
  }
  public function unserialize($serialized) {
    $this->roles = unserialize(unserialize($serialized)[0]);
  }
}
$group1 = new \group([$role1, $role2]);
$group2 = new \group([$role1, $role2]);
var_dump(unserialize(serialize([$group1, $group2])));

Expected result:
----------------
array (size=2)
  0 => 
    object(group)[5]
      private 'roles' => 
        array (size=2)
          0 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)
          1 => 
            object(stdClass)[7]
              public 'name' => string 'role2' (length=5)
  1 => 
    object(group)[8]
      private 'roles' => 
        array (size=2)
          0 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)
          1 => 
            object(stdClass)[7]
              public 'name' => string 'role2' (length=5)

Actual result:
--------------
array (size=2)
  0 => 
    object(group)[5]
      private 'roles' => 
        array (size=2)
          0 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)
          1 => 
            object(stdClass)[7]
              public 'name' => string 'role2' (length=5)
  1 => 
    object(group)[8]
      private 'roles' => 
        array (size=2)
          0 => string 'a:2:{i:0;O:8:"stdClass":1:{s:4:"name";s:5:"role1";}i:1;O:8:"stdClass":1:{s:4:"name";s:5:"role2";}}' (length=98)
          1 => 
            object(stdClass)[6]
              public 'name' => string 'role1' (length=5)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-16 13:39 UTC] cmb@php.net
See <https://externals.io/message/98834>.
 [2020-04-20 15:05 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2020-04-20 15:05 UTC] cmb@php.net
The Serializable interface has unresolvable issues, and is
superseeded by the __serialize() and __unserialize() magic
methods[1].

[1] <https://www.php.net/manual/en/language.oop5.magic.php#object.serialize>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 15:01:29 2024 UTC