--- /dev/null
+--TEST--
+Bug #67072 Echoing unserialized "SplFileObject" crash - BC break fixes
+--FILE--
+<?php
+class MySplFileObject extends SplFileObject {}
+class MyArrayObject extends ArrayObject{ var $a = 1; }
+echo unserialize('O:15:"MySplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');
+
+function testClass($className)
+{
+ // simulate phpunit
+ $object = unserialize(sprintf('O:%d:"%s":0:{}', strlen($className), $className));
+ return $object;
+}
+
+class MyClass {}
+class MyClassSer implements Serializable {
+ function serialize() { return "";}
+ function unserialize($data) { }
+}
+class MyClassSer2 extends MyClassSer {
+}
+
+$classes = array('stdClass', 'MyClass', 'MyClassSer', 'MyClassSer2', 'SplFileObject', 'MySplFileObject',
+ 'SplObjectStorage', 'FooBar', 'Closure', 'ArrayObject', 'MyArrayObject',
+ 'Directory'
+ );
+foreach($classes as $cl) {
+ var_dump(testClass($cl));
+}
+
+?>
+===DONE==
+--EXPECTF--
+Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 4
+
+Notice: unserialize(): Error at offset 26 of 66 bytes in %s on line 4
+object(stdClass)#%d (0) {
+}
+object(MyClass)#%d (0) {
+}
+object(MyClassSer)#%d (0) {
+}
+object(MyClassSer2)#%d (0) {
+}
+
+Warning: Erroneous data format for unserializing 'SplFileObject' in %s on line 9
+
+Notice: unserialize(): Error at offset 24 of 25 bytes in %s on line 9
+bool(false)
+
+Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 9
+
+Notice: unserialize(): Error at offset 26 of 27 bytes in %s on line 9
+bool(false)
+object(SplObjectStorage)#%d (1) {
+ ["storage":"SplObjectStorage":private]=>
+ array(0) {
+ }
+}
+object(__PHP_Incomplete_Class)#%d (1) {
+ ["__PHP_Incomplete_Class_Name"]=>
+ string(6) "FooBar"
+}
+
+Warning: Erroneous data format for unserializing 'Closure' in %s on line 9
+
+Notice: unserialize(): Error at offset 17 of 18 bytes in %s on line 9
+bool(false)
+object(ArrayObject)#%d (1) {
+ ["storage":"ArrayObject":private]=>
+ array(0) {
+ }
+}
+object(MyArrayObject)#1 (2) {
+ ["a"]=>
+ int(1)
+ ["storage":"ArrayObject":private]=>
+ array(0) {
+ }
+}
+object(Directory)#1 (0) {
+}
+===DONE==
-/* Generated by re2c 0.13.5 on Tue Jun 3 10:23:35 2014 */
+/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */
#line 1 "ext/standard/var_unserializer.re"
/*
+----------------------------------------------------------------------+
#include "php.h"
#include "ext/standard/php_var.h"
#include "php_incomplete_class.h"
+#include "Zend/zend_interfaces.h"
/* {{{ reference-handling for unserializer: var_* */
#define VAR_ENTRIES_MAX 1024
#define YYMARKER marker
-#line 234 "ext/standard/var_unserializer.re"
+#line 235 "ext/standard/var_unserializer.re"
Serializable interface have eventually an inconsistent behavior at this place when
unserialized from a manipulated string. Additionaly the interal classes can possibly
crash PHP so they're still disabled here. */
- if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
+ if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
object_init_ex(*rval, ce);
} else {
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
-#line 477 "ext/standard/var_unserializer.c"
+#line 478 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy95;
yy3:
-#line 828 "ext/standard/var_unserializer.re"
+#line 829 "ext/standard/var_unserializer.re"
{ return 0; }
-#line 539 "ext/standard/var_unserializer.c"
+#line 540 "ext/standard/var_unserializer.c"
yy4:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy89;
goto yy3;
yy14:
++YYCURSOR;
-#line 822 "ext/standard/var_unserializer.re"
+#line 823 "ext/standard/var_unserializer.re"
{
/* this is the case where we have less data than planned */
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
return 0; /* not sure if it should be 0 or 1 here? */
}
-#line 588 "ext/standard/var_unserializer.c"
+#line 589 "ext/standard/var_unserializer.c"
yy16:
yych = *++YYCURSOR;
goto yy3;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 676 "ext/standard/var_unserializer.re"
+#line 677 "ext/standard/var_unserializer.re"
{
size_t len, len2, len3, maxlen;
long elements;
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 764 "ext/standard/var_unserializer.c"
+#line 765 "ext/standard/var_unserializer.c"
yy25:
yych = *++YYCURSOR;
if (yych <= ',') {
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 668 "ext/standard/var_unserializer.re"
+#line 669 "ext/standard/var_unserializer.re"
{
INIT_PZVAL(*rval);
return object_common2(UNSERIALIZE_PASSTHRU,
object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
}
-#line 797 "ext/standard/var_unserializer.c"
+#line 798 "ext/standard/var_unserializer.c"
yy32:
yych = *++YYCURSOR;
if (yych == '+') goto yy33;
yych = *++YYCURSOR;
if (yych != '{') goto yy18;
++YYCURSOR;
-#line 648 "ext/standard/var_unserializer.re"
+#line 649 "ext/standard/var_unserializer.re"
{
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
return finish_nested_data(UNSERIALIZE_PASSTHRU);
}
-#line 838 "ext/standard/var_unserializer.c"
+#line 839 "ext/standard/var_unserializer.c"
yy39:
yych = *++YYCURSOR;
if (yych == '+') goto yy40;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 619 "ext/standard/var_unserializer.re"
+#line 620 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
ZVAL_STRINGL(*rval, str, len, 0);
return 1;
}
-#line 888 "ext/standard/var_unserializer.c"
+#line 889 "ext/standard/var_unserializer.c"
yy46:
yych = *++YYCURSOR;
if (yych == '+') goto yy47;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 591 "ext/standard/var_unserializer.re"
+#line 592 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
ZVAL_STRINGL(*rval, str, len, 1);
return 1;
}
-#line 937 "ext/standard/var_unserializer.c"
+#line 938 "ext/standard/var_unserializer.c"
yy53:
yych = *++YYCURSOR;
if (yych <= '/') {
}
yy63:
++YYCURSOR;
-#line 581 "ext/standard/var_unserializer.re"
+#line 582 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
use_double:
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
return 1;
}
-#line 1035 "ext/standard/var_unserializer.c"
+#line 1036 "ext/standard/var_unserializer.c"
yy65:
yych = *++YYCURSOR;
if (yych <= ',') {
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 566 "ext/standard/var_unserializer.re"
+#line 567 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
return 1;
}
-#line 1109 "ext/standard/var_unserializer.c"
+#line 1110 "ext/standard/var_unserializer.c"
yy76:
yych = *++YYCURSOR;
if (yych == 'N') goto yy73;
if (yych <= '9') goto yy79;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 539 "ext/standard/var_unserializer.re"
+#line 540 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
int digits = YYCURSOR - start - 3;
ZVAL_LONG(*rval, parse_iv(start + 2));
return 1;
}
-#line 1163 "ext/standard/var_unserializer.c"
+#line 1164 "ext/standard/var_unserializer.c"
yy83:
yych = *++YYCURSOR;
if (yych <= '/') goto yy18;
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 532 "ext/standard/var_unserializer.re"
+#line 533 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_BOOL(*rval, parse_iv(start + 2));
return 1;
}
-#line 1178 "ext/standard/var_unserializer.c"
+#line 1179 "ext/standard/var_unserializer.c"
yy87:
++YYCURSOR;
-#line 525 "ext/standard/var_unserializer.re"
+#line 526 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_NULL(*rval);
return 1;
}
-#line 1188 "ext/standard/var_unserializer.c"
+#line 1189 "ext/standard/var_unserializer.c"
yy89:
yych = *++YYCURSOR;
if (yych <= ',') {
if (yych <= '9') goto yy91;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 502 "ext/standard/var_unserializer.re"
+#line 503 "ext/standard/var_unserializer.re"
{
long id;
return 1;
}
-#line 1234 "ext/standard/var_unserializer.c"
+#line 1235 "ext/standard/var_unserializer.c"
yy95:
yych = *++YYCURSOR;
if (yych <= ',') {
if (yych <= '9') goto yy97;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 481 "ext/standard/var_unserializer.re"
+#line 482 "ext/standard/var_unserializer.re"
{
long id;
return 1;
}
-#line 1278 "ext/standard/var_unserializer.c"
+#line 1279 "ext/standard/var_unserializer.c"
}
-#line 830 "ext/standard/var_unserializer.re"
+#line 831 "ext/standard/var_unserializer.re"
return 0;
projects / php / commitdiff