mirror of
https://github.com/php/php-src.git
synced 2026-04-23 07:58:20 +02:00
Stanislav Malyshev
97047e7665
* PHP-5.6: update NEWS fix test update NEWS Fix bug #70019 - limit extracted files to given directory Do not do convert_to_* on unserialize, it messes up references Fix #69793 - limit what we accept when unserializing exception Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList) Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject ignore signatures for packages too Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage Fixed bug #69892 Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes Improved fix for Bug #69441 Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items) Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref) Fix bug #70081: check types for SOAP variables Conflicts: Zend/zend_exceptions.c ext/date/php_date.c ext/openssl/openssl.c ext/phar/phar_internal.h ext/soap/php_http.c ext/spl/spl_array.c ext/spl/spl_dllist.c ext/spl/spl_observer.c ext/standard/tests/serialize/bug69152.phpt sapi/cli/tests/005.phpt
18 lines
730 B
PHP
18 lines
730 B
PHP
--TEST--
|
|
Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
|
|
--FILE--
|
|
<?php
|
|
$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
|
|
echo $x;
|
|
$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
|
|
$x->test();
|
|
|
|
?>
|
|
--EXPECTF--
|
|
Notice: Undefined property: Exception::$previous in %s on line %d
|
|
Exception in %s:%d
|
|
Stack trace:
|
|
#0 {main}
|
|
|
|
Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d
|