mirror of
https://github.com/php/php-src.git
synced 2026-04-24 08:28:26 +02:00
Nikita Popov
814a932734
This prevents serialization and unserialization of a class and its children in a way that does not depend on the zend_class_serialize_deny and zend_class_unserialize_deny handlers that will be going away in PHP 9 together with the Serializable interface. In stubs, `@not-serializable` can be used to set this flag. This patch only uses the new flag for a handful of Zend classes, converting the remainder is left for later. Closes GH-7249. Fixes bug #81111.
54 lines
1.2 KiB
PHP
54 lines
1.2 KiB
PHP
--TEST--
|
|
Bug #81111: Serialization is unexpectedly allowed on anonymous classes with __serialize()
|
|
--FILE--
|
|
<?php
|
|
|
|
class MySplFileInfo extends SplFileInfo {
|
|
public function __serialize() { return []; }
|
|
public function __unserialize($value) { return new self('file'); }
|
|
}
|
|
|
|
try {
|
|
serialize(new MySplFileInfo(__FILE__));
|
|
} catch (Exception $e) {
|
|
echo $e->getMessage(), "\n";
|
|
}
|
|
|
|
$anon = new class () {
|
|
public function __serialize() { return []; }
|
|
public function __unserialize($value) { }
|
|
};
|
|
|
|
try {
|
|
serialize($anon);
|
|
} catch (Exception $e) {
|
|
echo $e->getMessage(), "\n";
|
|
}
|
|
|
|
try {
|
|
unserialize("O:13:\"MySplFileInfo\":0:{}");
|
|
} catch (Exception $e) {
|
|
echo $e->getMessage(), "\n";
|
|
}
|
|
try {
|
|
unserialize("C:13:\"MySplFileInfo\":0:{}");
|
|
} catch (Exception $e) {
|
|
echo $e->getMessage(), "\n";
|
|
}
|
|
|
|
$name = $anon::class;
|
|
try {
|
|
unserialize("O:" . strlen($name) . ":\"" . $name . "\":0:{}");
|
|
} catch (Exception $e) {
|
|
echo $e->getMessage(), "\n";
|
|
}
|
|
|
|
?>
|
|
--EXPECTF--
|
|
Serialization of 'MySplFileInfo' is not allowed
|
|
Serialization of 'class@anonymous' is not allowed
|
|
Unserialization of 'MySplFileInfo' is not allowed
|
|
Unserialization of 'MySplFileInfo' is not allowed
|
|
|
|
Notice: unserialize(): Error at offset 0 of %d bytes in %s on line %d
|