Bug #55303 [Opn->Ver]: zend_class_unserialize_deny does not work

cataphract Wed, 27 Jul 2011 16:58:42 -0700

Edit report at https://bugs.php.net/bug.php?id=55303&edit=1


 ID:                 55303
 Updated by:         cataphr...@php.net
 Reported by:        gop...@php.net
 Summary:            zend_class_unserialize_deny does not work
-Status:             Open
+Status:             Verified
 Type:               Bug
 Package:            Class/Object related
 Operating System:   Linux
 PHP Version:        trunk-SVN-2011-07-27 (SVN)
 Block user comment: N
 Private report:     N

 New Comment:

An example with a built-in function:

<?php
$c = unserialize('O:7:"Closure":0:{}');
var_dump($c);^D
object(Closure)#1 (0) {
}

ce.unserialize is not called if the serialized data doesn't indicate it's a 
"custom object".


Previous Comments:
------------------------------------------------------------------------
[2011-07-27 19:00:39] gop...@php.net

Description:
------------
Disabling unserialize() for a class does not work when object_common1 is hit

In pecl/hidef trunk right now FrozenArray is marked with 
zend_class_unserialize_deny 

+    ce.serialize = zend_class_serialize_deny;
+    ce.unserialize = zend_class_unserialize_deny;

http://svn.php.net/viewvc/pecl/hidef/trunk/frozenarray.c?r1=311588&r2=313761

But the following code still fails to throw an exception (with hidef installed)

I traced the code to 

#0  frozen_array_new (ce=0xe34790) at 
/home/gopalv/apc_debug/hidef54/frozenarray.c:185
#1  0x00000000006a035b in _object_and_properties_init (arg=0x7ffff7fc8a38, 
class_type=0xe34790, properties=0x0) at 
/home/gopalv/apc_debug/PHP_5_4/Zend/zend_API.c:1122
#2  0x0000000000621b87 in object_common1 (rval=<value optimized out>, p=<value 
optimized out>, max=<value optimized out>, var_hash=<value optimized out>, 
ce=0xe34790) at ext/standard/var_unserializer.re:371
#3  0x0000000000622b9e in php_var_unserialize (rval=0x7fffffffb828, 
p=0x7fffffffb838, max=0x7ffff7eb8203 "", var_hash=0x7fffffffb830) at 
ext/standard/var_unserializer.re:717
#4  0x000000000060dd03 in zif_unserialize (ht=<value optimized out>, 
return_value=0x7ffff7fc8a38, return_value_ptr=<value optimized out>, 
this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /home/gopalv/apc_debug/PHP_5_4/ext/standard/var.c:942


Test script:
---------------
<?php

$s='O:11:"FrozenArray":3:{i:1;s:3:"xyz";i:2;s:3:"abc";i:0;s:5:"hello";}'; 

$a = unserialize($s);

print_r($a);


Expected result:
----------------
Fatal error: Uncaught exception 'Exception' with message 'Unserialization of 
'FrozenArray' is not allowed' 


Actual result:
--------------
FrozenArray Object
(
)



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55303&edit=1

Bug #55303 [Opn->Ver]: zend_class_unserialize_deny does not work

Reply via email to