PHP :: Bug #81151 :: bypass _

Bug #81151

bypass __wakeup

Submitted:

2021-06-17 05:21 UTC

Modified:

2021-06-17 11:39 UTC

Votes:	15
Avg. Score:	3.3 ± 1.1
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

j7ur8 at qq dot com

Assigned:

Status:

Open

Package:

Class/Object related

PHP Version:

7.3.28

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

[2021-06-17 05:21 UTC] j7ur8 at qq dot com

Description:
------------
use `C:` to bypass __wakeup.

Test script:
---------------
// https://3v4l.org/YAje0
<?php
class E  {
	public function __construct(){

	}

	public function __destruct(){
		echo "destruct";
	}

	public function __wakeup(){
		echo "wake up";
	}
}

var_dump(unserialize('C:1:"E":0:{}'));

Expected result:
----------------
For `class E` don't implements Serializable, maybe unserialize should return an Error.

Actual result:
--------------
Warning: Class E has no unserializer in /in/YAje0 on line 17
object(E)#1 (0) {
}
destruct

/*
In my understand, "C:" means a class implements Serializable, and it don't suport  __wakeup. At here, class E doesn't implements Serializable, and __wakeup ineffective, __destruct works. Should it be? i don't know.

*/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-06-17 05:24 UTC] stas@php.net

-Type: Security +Type: Bug

[2021-06-17 05:24 UTC] stas@php.net

__wakeup is not a security feature, so it's not a security issue.

[2021-06-17 11:39 UTC] cmb@php.net

Promoting this warning to an Exception makes some sense to me, but
would constitute a BC break, and given that the C format is
obsolete[1], it might be best to stick with the warning.

[1] <https://wiki.php.net/rfc/phase_out_serializable>

[2023-08-24 09:28 UTC] fwrcferfr at gmail dot com

Thanks for the information.  (https://github.com)(https://www.telltims.net)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 01 16:01:30 2024 UTC