Skip to content

Instantly share code, notes, and snippets.

@danielbeardsley

danielbeardsley/.gitignore

Created August 14, 2012 23:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save danielbeardsley/3353895 to your computer and use it in GitHub Desktop.
Save danielbeardsley/3353895 to your computer and use it in GitHub Desktop.
Download ZIP
PHP Bug in recursive unserialization
Raw
A.php
<?
class A {
}
Raw
B.php
<?
class B {
}
Raw
run_test.sh
#!/bin/sh
php serialize_autoload.php > before.out
php unserialize_autoload.php > after.out
echo "Original =========="
cat before.out
echo
echo "Unserialized ======"
cat after.out
echo
echo "Diff =============="
(diff -a before.out after.out && echo "Passed, no differences") ||
echo "FAILED ============"
Raw
serialize_autoload.php
<?php
require "setup.php";
$a = new A();
$b = new B();
$c = new B();
$a->b = $b;
$a->b1 = $b;
$a->c = $c;
$a->c1 = $c;
var_dump($a);
file_put_contents('a.ser', serialize($a));
Raw
setup.php
<?php
function __autoload($name)
{
echo "in autoload: $name\n";
// This call causes the bug
unserialize('i:4;');
require "$name.php";
return true;
}
Raw
unserialize_autoload.php
<?php
require 'setup.php';
var_dump(unserialize(file_get_contents("a.ser")));
@danielbeardsley
Copy link
Author

Reported a bug in PHP here: https://bugs.php.net/bug.php?id=62836

@danielbeardsley
Copy link
Author

And it got fixed here: php/php-src@0b23da1

This bug is fixed as of php 5.4.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment