mirror of
https://github.com/php/php-src.git
synced 2026-04-22 23:48:14 +02:00
Tim Düsterhus
f2e8c5da90
* unserialize: Strictly check for `:{` at object start
* unserialize: Update CVE tests
It's unlikely that the object syntax error contributed to the actual CVE. The
CVE is rather caused by the incorrect object serialization data of the `C`
format. Add a second string without such a syntax error to ensure that path is
still executed as well to ensure the CVE is absent.
* Fix test expectation in gmp/tests/bug74670.phpt
No changes to the input required, because the test actually is intended to
verify the behavior for a missing `}`, it's just that the report position changed.
* NEWS
* UPGRADING
28 lines
626 B
PHP
28 lines
626 B
PHP
--TEST--
|
|
Bug #73029: Missing type check when unserializing SplArray
|
|
--FILE--
|
|
<?php
|
|
try {
|
|
$a = 'C:11:"ArrayObject":19:{x:i:0;r:2;;m:a:0:{}}';
|
|
$m = unserialize($a);
|
|
$x = $m[2];
|
|
} catch(UnexpectedValueException $e) {
|
|
print $e->getMessage() . "\n";
|
|
}
|
|
try {
|
|
$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
|
|
$m = unserialize($a);
|
|
$x = $m[2];
|
|
} catch(UnexpectedValueException $e) {
|
|
print $e->getMessage() . "\n";
|
|
}
|
|
?>
|
|
DONE
|
|
--EXPECTF--
|
|
Error at offset 10 of 19 bytes
|
|
|
|
Notice: unserialize(): Error at offset 22 of 43 bytes in %s on line %d
|
|
|
|
Warning: Trying to access array offset on value of type bool in %s on line %d
|
|
DONE
|