|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76737 Unserialized reflection objects are broken, but they shouldn't be serializable
Submitted: 2018-08-13 14:13 UTC Modified: 2018-09-29 12:49 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: nicolas dot grekas+php at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reflection related
PHP Version: 7.1Git-2018-08-13 (Git) OS:
Private report: No CVE-ID: None
 [2018-08-13 14:13 UTC] nicolas dot grekas+php at gmail dot com
When serializing any `Reflector` instance, but also `ReflectionType` and `ReflectionGenerator` (which are the only two classes of the reflection extension not implementing `Reflector` BTW), then the unserialized value is unusable and throws `Error`: "Internal error: Failed to retrieve the reflection object" on any method calls.

This is legit, but instead of this late error, these should not be serializable in the first place.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-14 13:25 UTC]
-Status: Open +Status: Verified
 [2018-08-14 13:25 UTC]
See also the related FR #62919.
 [2018-08-20 13:59 UTC] nicolas dot grekas+php at gmail dot com
Note that IteratorIterator and RecursiveIteratorIterator also shouldn't be serializable.
(and by the way, they're missing a private __clone method, same for ReflectionGenerator)
 [2018-09-29 12:48 UTC]
Automatic comment on behalf of
Log: Fixed bug #76737
 [2018-09-29 12:48 UTC]
-Status: Verified +Status: Closed
 [2018-09-29 12:49 UTC]
-Assigned To: +Assigned To: nikic
 [2018-09-29 12:49 UTC]
Fixed for master only (PHP 7.4), as this may potentially break some code unintentionally serializing reflection objects.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Dec 03 21:01:29 2023 UTC