|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81151 bypass __wakeup
Submitted: 2021-06-17 05:21 UTC Modified: 2021-06-17 11:39 UTC
Avg. Score:3.4 ± 1.1
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: j7ur8 at qq dot com Assigned:
Status: Open Package: Class/Object related
PHP Version: 7.3.28 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: j7ur8 at qq dot com
New email:
PHP Version: OS:


 [2021-06-17 05:21 UTC] j7ur8 at qq dot com
use `C:` to bypass __wakeup.

Test script:
class E  {
	public function __construct(){


	public function __destruct(){
		echo "destruct";

	public function __wakeup(){
		echo "wake up";


Expected result:
For `class E` don't implements Serializable, maybe unserialize should return an Error.

Actual result:
Warning: Class E has no unserializer in /in/YAje0 on line 17
object(E)#1 (0) {

In my understand, "C:" means a class implements Serializable, and it don't suport  __wakeup. At here, class E doesn't implements Serializable, and __wakeup ineffective, __destruct works. Should it be? i don't know.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-17 05:24 UTC]
-Type: Security +Type: Bug
 [2021-06-17 05:24 UTC]
__wakeup is not a security feature, so it's not a security issue.
 [2021-06-17 11:39 UTC]
Promoting this warning to an Exception makes some sense to me, but
would constitute a BC break, and given that the C format is
obsolete[1], it might be best to stick with the warning.

[1] <>
 [2023-08-24 09:28 UTC] fwrcferfr at gmail dot com
Thanks for the information.  (
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 04:01:31 2024 UTC