mirror of
https://github.com/php/php-src.git
synced 2026-04-18 13:31:27 +02:00
2135fdef9b
Don't call __destruct() on an unserialized object that has a __wakeup() method if either a) unserialization of its properties fails or b) the __wakeup() call fails (e.g. by throwing). This basically treats __wakeup() as a form of constructor and aligns us with the usual behavior that if the constructor call fails the destructor should not be called. The security aspect here is that people use __wakeup() to prevent unserialization of objects with dangerous __destruct() methods, but this is ineffective if __destruct() can still be called while __wakeup() was skipped.
57 lines
1.1 KiB
PHP
57 lines
1.1 KiB
PHP
--TEST--
|
|
Bug #72663 (1): Don't call __destruct if __wakeup not called or fails
|
|
--FILE--
|
|
<?php
|
|
|
|
class Test1 {
|
|
public function __wakeup() {
|
|
echo "Wakeup\n";
|
|
}
|
|
public function __destruct() {
|
|
echo "Dtor\n";
|
|
}
|
|
}
|
|
|
|
class Test2 {
|
|
public function __wakeup() {
|
|
throw new Exception('Unserialization forbidden');
|
|
}
|
|
public function __destruct() {
|
|
echo "Dtor\n";
|
|
}
|
|
}
|
|
|
|
// Unserialize object with error in properties
|
|
$s = 'O:5:"Test1":1:{s:10:"";}';
|
|
var_dump(unserialize($s));
|
|
|
|
// Variation: Object is turned into a reference
|
|
$s = 'O:5:"Test1":2:{i:0;R:1;s:10:"";}';
|
|
var_dump(unserialize($s));
|
|
|
|
// Unserialize object with throwing __wakeup
|
|
$s = 'O:5:"Test2":0:{}';
|
|
try {
|
|
var_dump(unserialize($s));
|
|
} catch (Exception $e) {
|
|
echo "Caught\n";
|
|
}
|
|
//
|
|
// Variation: Object is turned into a reference
|
|
$s = 'O:5:"Test2":1:{i:0;R:1;}';
|
|
try {
|
|
var_dump(unserialize($s));
|
|
} catch (Exception $e) {
|
|
echo "Caught\n";
|
|
}
|
|
|
|
?>
|
|
--EXPECTF--
|
|
Notice: unserialize(): Error at offset 17 of 24 bytes in %s on line %d
|
|
bool(false)
|
|
|
|
Notice: unserialize(): Error at offset 25 of 32 bytes in %s on line %d
|
|
bool(false)
|
|
Caught
|
|
Caught
|