php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81151 bypass __wakeup
Submitted: 2021-06-17 05:21 UTC Modified: 2021-06-17 11:39 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: j7ur8 at qq dot com Assigned:
Status: Open Package: Class/Object related
PHP Version: 7.3.28 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: j7ur8 at qq dot com
New email:
PHP Version: OS:

 

 [2021-06-17 05:21 UTC] j7ur8 at qq dot com
Description:
------------
use `C:` to bypass __wakeup.

Test script:
---------------
// https://3v4l.org/YAje0
<?php
class E  {
	public function __construct(){

	}

	public function __destruct(){
		echo "destruct";
	}

	public function __wakeup(){
		echo "wake up";
	}
}

var_dump(unserialize('C:1:"E":0:{}'));

Expected result:
----------------
For `class E` don't implements Serializable, maybe unserialize should return an Error.

Actual result:
--------------
Warning: Class E has no unserializer in /in/YAje0 on line 17
object(E)#1 (0) {
}
destruct

/*
In my understand, "C:" means a class implements Serializable, and it don't suport  __wakeup. At here, class E doesn't implements Serializable, and __wakeup ineffective, __destruct works. Should it be? i don't know.

*/

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-17 05:24 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-06-17 05:24 UTC] stas@php.net
__wakeup is not a security feature, so it's not a security issue.
 [2021-06-17 11:39 UTC] cmb@php.net
Promoting this warning to an Exception makes some sense to me, but
would constitute a BC break, and given that the C format is
obsolete[1], it might be best to stick with the warning.

[1] <https://wiki.php.net/rfc/phase_out_serializable>
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Sep 22 03:03:36 2021 UTC