-
-
Save anonymous/8c4125af9766d591072526b25bebce08 to your computer and use it in GitHub Desktop.
Patch for 73091
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| commit 1b29e4488e19c89e5b37ecb26acaec443d7f1355 | |
| Author: Stanislav Malyshev <stas@php.net> | |
| Date: Sun Sep 25 16:43:24 2016 -0700 | |
| Fix bug #73091 - Unserializing DateInterval object may lead to __toString invocation | |
| diff --git a/ext/date/php_date.c b/ext/date/php_date.c | |
| index dbcd9d0..d4c695c 100644 | |
| --- a/ext/date/php_date.c | |
| +++ b/ext/date/php_date.c | |
| @@ -4113,7 +4113,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter | |
| #define PHP_DATE_INTERVAL_READ_PROPERTY(element, member, itype, def) \ | |
| do { \ | |
| zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \ | |
| - if (z_arg) { \ | |
| + if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \ | |
| (*intobj)->diff->member = (itype)zval_get_long(z_arg); \ | |
| } else { \ | |
| (*intobj)->diff->member = (itype)def; \ | |
| @@ -4123,7 +4123,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter | |
| #define PHP_DATE_INTERVAL_READ_PROPERTY_I64(element, member) \ | |
| do { \ | |
| zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \ | |
| - if (z_arg) { \ | |
| + if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \ | |
| zend_string *str = zval_get_string(z_arg); \ | |
| DATE_A64I((*intobj)->diff->member, ZSTR_VAL(str)); \ | |
| zend_string_release(str); \ | |
| diff --git a/ext/date/tests/bug73091.phpt b/ext/date/tests/bug73091.phpt | |
| new file mode 100644 | |
| index 0000000..668ef50 | |
| --- /dev/null | |
| +++ b/ext/date/tests/bug73091.phpt | |
| @@ -0,0 +1,46 @@ | |
| +--TEST-- | |
| +Bug #73091 (Unserializing DateInterval object may lead to __toString invocation) | |
| +--FILE-- | |
| +<?php | |
| +class foo { | |
| + function __toString() { | |
| + var_dump(0); | |
| + return 'may be a bug'; | |
| + } | |
| +} | |
| + | |
| +var_dump(unserialize('O:12:"DateInterval":1:{s:4:"days";O:3:"foo":0:{}}')); | |
| +?> | |
| +--EXPECTF-- | |
| +object(DateInterval)#%d (15) { | |
| + ["days"]=> | |
| + int(-1) | |
| + ["y"]=> | |
| + int(-1) | |
| + ["m"]=> | |
| + int(-1) | |
| + ["d"]=> | |
| + int(-1) | |
| + ["h"]=> | |
| + int(-1) | |
| + ["i"]=> | |
| + int(-1) | |
| + ["s"]=> | |
| + int(-1) | |
| + ["weekday"]=> | |
| + int(-1) | |
| + ["weekday_behavior"]=> | |
| + int(-1) | |
| + ["first_last_day_of"]=> | |
| + int(-1) | |
| + ["invert"]=> | |
| + int(0) | |
| + ["special_type"]=> | |
| + int(0) | |
| + ["special_amount"]=> | |
| + int(-1) | |
| + ["have_weekday_relative"]=> | |
| + int(0) | |
| + ["have_special_relative"]=> | |
| + int(0) | |
| +} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment