public
Last active

PHP Bug in recursive unserialization

  • Download Gist
.gitignore
1 2
*.out
a.ser
A.php
PHP
1 2 3 4
<?
 
class A {
}
B.php
PHP
1 2 3 4
<?
 
class B {
}
run_test.sh
Shell
1 2 3 4 5 6 7 8 9 10 11 12
#!/bin/sh
php serialize_autoload.php > before.out
php unserialize_autoload.php > after.out
echo "Original =========="
cat before.out
echo
echo "Unserialized ======"
cat after.out
echo
echo "Diff =============="
(diff -a before.out after.out && echo "Passed, no differences") ||
echo "FAILED ============"
serialize_autoload.php
PHP
1 2 3 4 5 6 7 8 9 10 11 12
<?php
require "setup.php";
 
$a = new A();
$b = new B();
$c = new B();
$a->b = $b;
$a->b1 = $b;
$a->c = $c;
$a->c1 = $c;
var_dump($a);
file_put_contents('a.ser', serialize($a));
setup.php
PHP
1 2 3 4 5 6 7 8 9
<?php
function __autoload($name)
{
echo "in autoload: $name\n";
// This call causes the bug
unserialize('i:4;');
require "$name.php";
return true;
}
unserialize_autoload.php
PHP
1 2 3 4
<?php
require 'setup.php';
 
var_dump(unserialize(file_get_contents("a.ser")));

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.