php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81151 bypass __wakeup
Submitted: 2021-06-17 05:21 UTC Modified: 2021-06-17 11:39 UTC
Votes:15
Avg. Score:3.3 ± 1.1
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: j7ur8 at qq dot com Assigned:
Status: Open Package: Class/Object related
PHP Version: 7.3.28 OS: All
Private report: No CVE-ID: None
 [2021-06-17 05:21 UTC] j7ur8 at qq dot com
Description:
------------
use `C:` to bypass __wakeup.

Test script:
---------------
// https://3v4l.org/YAje0
<?php
class E  {
	public function __construct(){

	}

	public function __destruct(){
		echo "destruct";
	}

	public function __wakeup(){
		echo "wake up";
	}
}

var_dump(unserialize('C:1:"E":0:{}'));

Expected result:
----------------
For `class E` don't implements Serializable, maybe unserialize should return an Error.

Actual result:
--------------
Warning: Class E has no unserializer in /in/YAje0 on line 17
object(E)#1 (0) {
}
destruct

/*
In my understand, "C:" means a class implements Serializable, and it don't suport  __wakeup. At here, class E doesn't implements Serializable, and __wakeup ineffective, __destruct works. Should it be? i don't know.

*/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-17 05:24 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-06-17 05:24 UTC] stas@php.net
__wakeup is not a security feature, so it's not a security issue.
 [2021-06-17 11:39 UTC] cmb@php.net
Promoting this warning to an Exception makes some sense to me, but
would constitute a BC break, and given that the C format is
obsolete[1], it might be best to stick with the warning.

[1] <https://wiki.php.net/rfc/phase_out_serializable>
 [2023-08-24 09:28 UTC] fwrcferfr at gmail dot com
Thanks for the information.  (https://github.com)(https://www.telltims.net)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC