summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2014-06-21 21:28:33 -0700
committerStanislav Malyshev <stas@php.net>2014-06-23 22:16:25 -0700
commit6d97b4b2b322171d9d3e88ccd5f933bc5661edd6 (patch)
tree6838dc285bf3bf2e4573e81bf48a0e08e520e48c
parentfb0128af2a95ec0d1a0360be49776c5b056d1f33 (diff)
downloadphp-git-6d97b4b2b322171d9d3e88ccd5f933bc5661edd6.tar.gz
Better fix for bug #67072 with more BC provisions
Diffstat
-rw-r--r--NEWS2
-rw-r--r--ext/standard/tests/serialize/bug67072_2.phpt84
-rw-r--r--ext/standard/var_unserializer.c67
-rw-r--r--ext/standard/var_unserializer.re3
4 files changed, 121 insertions, 35 deletions
diff --git a/NEWS b/NEWS
index 31a4a52793..4ee00dbe47 100644
--- a/NEWS
+++ b/NEWS
@@ -3,7 +3,7 @@ PHP NEWS
12 Jun 2014, PHP 5.4.30
- Core:
- . Fixed BC break introduced by patch for bug #67072. (Anatol)
+ . Fixed BC break introduced by patch for bug #67072. (Anatol, Stas)
. Fixed bug #66622 (Closures do not correctly capture the late bound class
(static::) in some cases). (Levi Morrison)
. Fixed bug #67390 (insecure temporary file use in the configure script).
diff --git a/ext/standard/tests/serialize/bug67072_2.phpt b/ext/standard/tests/serialize/bug67072_2.phpt
new file mode 100644
index 0000000000..09eadb9ee1
--- /dev/null
+++ b/ext/standard/tests/serialize/bug67072_2.phpt
@@ -0,0 +1,84 @@
+--TEST--
+Bug #67072 Echoing unserialized "SplFileObject" crash - BC break fixes
+--FILE--
+<?php
+class MySplFileObject extends SplFileObject {}
+class MyArrayObject extends ArrayObject{ var $a = 1; }
+echo unserialize('O:15:"MySplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');
+
+function testClass($className)
+{
+ // simulate phpunit
+ $object = unserialize(sprintf('O:%d:"%s":0:{}', strlen($className), $className));
+ return $object;
+}
+
+class MyClass {}
+class MyClassSer implements Serializable {
+ function serialize() { return "";}
+ function unserialize($data) { }
+}
+class MyClassSer2 extends MyClassSer {
+}
+
+$classes = array('stdClass', 'MyClass', 'MyClassSer', 'MyClassSer2', 'SplFileObject', 'MySplFileObject',
+ 'SplObjectStorage', 'FooBar', 'Closure', 'ArrayObject', 'MyArrayObject',
+ 'Directory'
+ );
+foreach($classes as $cl) {
+ var_dump(testClass($cl));
+}
+
+?>
+===DONE==
+--EXPECTF--
+Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 4
+
+Notice: unserialize(): Error at offset 26 of 66 bytes in %s on line 4
+object(stdClass)#%d (0) {
+}
+object(MyClass)#%d (0) {
+}
+object(MyClassSer)#%d (0) {
+}
+object(MyClassSer2)#%d (0) {
+}
+
+Warning: Erroneous data format for unserializing 'SplFileObject' in %s on line 9
+
+Notice: unserialize(): Error at offset 24 of 25 bytes in %s on line 9
+bool(false)
+
+Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 9
+
+Notice: unserialize(): Error at offset 26 of 27 bytes in %s on line 9
+bool(false)
+object(SplObjectStorage)#%d (1) {
+ ["storage":"SplObjectStorage":private]=>
+ array(0) {
+ }
+}
+object(__PHP_Incomplete_Class)#%d (1) {
+ ["__PHP_Incomplete_Class_Name"]=>
+ string(6) "FooBar"
+}
+
+Warning: Erroneous data format for unserializing 'Closure' in %s on line 9
+
+Notice: unserialize(): Error at offset 17 of 18 bytes in %s on line 9
+bool(false)
+object(ArrayObject)#%d (1) {
+ ["storage":"ArrayObject":private]=>
+ array(0) {
+ }
+}
+object(MyArrayObject)#1 (2) {
+ ["a"]=>
+ int(1)
+ ["storage":"ArrayObject":private]=>
+ array(0) {
+ }
+}
+object(Directory)#1 (0) {
+}
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 29d2e0f7ed..2dd10a72e1 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Tue Jun 3 10:23:35 2014 */
+/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */
#line 1 "ext/standard/var_unserializer.re"
/*
+----------------------------------------------------------------------+
@@ -23,6 +23,7 @@
#include "php.h"
#include "ext/standard/php_var.h"
#include "php_incomplete_class.h"
+#include "Zend/zend_interfaces.h"
/* {{{ reference-handling for unserializer: var_* */
#define VAR_ENTRIES_MAX 1024
@@ -226,7 +227,7 @@ static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen
#define YYMARKER marker
-#line 234 "ext/standard/var_unserializer.re"
+#line 235 "ext/standard/var_unserializer.re"
@@ -400,7 +401,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
Serializable interface have eventually an inconsistent behavior at this place when
unserialized from a manipulated string. Additionaly the interal classes can possibly
crash PHP so they're still disabled here. */
- if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
+ if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
object_init_ex(*rval, ce);
} else {
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
@@ -473,7 +474,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
-#line 477 "ext/standard/var_unserializer.c"
+#line 478 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
@@ -533,9 +534,9 @@ yy2:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy95;
yy3:
-#line 828 "ext/standard/var_unserializer.re"
+#line 829 "ext/standard/var_unserializer.re"
{ return 0; }
-#line 539 "ext/standard/var_unserializer.c"
+#line 540 "ext/standard/var_unserializer.c"
yy4:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy89;
@@ -578,13 +579,13 @@ yy13:
goto yy3;
yy14:
++YYCURSOR;
-#line 822 "ext/standard/var_unserializer.re"
+#line 823 "ext/standard/var_unserializer.re"
{
/* this is the case where we have less data than planned */
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
return 0; /* not sure if it should be 0 or 1 here? */
}
-#line 588 "ext/standard/var_unserializer.c"
+#line 589 "ext/standard/var_unserializer.c"
yy16:
yych = *++YYCURSOR;
goto yy3;
@@ -614,7 +615,7 @@ yy20:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 676 "ext/standard/var_unserializer.re"
+#line 677 "ext/standard/var_unserializer.re"
{
size_t len, len2, len3, maxlen;
long elements;
@@ -760,7 +761,7 @@ yy20:
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 764 "ext/standard/var_unserializer.c"
+#line 765 "ext/standard/var_unserializer.c"
yy25:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -785,7 +786,7 @@ yy27:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 668 "ext/standard/var_unserializer.re"
+#line 669 "ext/standard/var_unserializer.re"
{
INIT_PZVAL(*rval);
@@ -793,7 +794,7 @@ yy27:
return object_common2(UNSERIALIZE_PASSTHRU,
object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
}
-#line 797 "ext/standard/var_unserializer.c"
+#line 798 "ext/standard/var_unserializer.c"
yy32:
yych = *++YYCURSOR;
if (yych == '+') goto yy33;
@@ -814,7 +815,7 @@ yy34:
yych = *++YYCURSOR;
if (yych != '{') goto yy18;
++YYCURSOR;
-#line 648 "ext/standard/var_unserializer.re"
+#line 649 "ext/standard/var_unserializer.re"
{
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
@@ -834,7 +835,7 @@ yy34:
return finish_nested_data(UNSERIALIZE_PASSTHRU);
}
-#line 838 "ext/standard/var_unserializer.c"
+#line 839 "ext/standard/var_unserializer.c"
yy39:
yych = *++YYCURSOR;
if (yych == '+') goto yy40;
@@ -855,7 +856,7 @@ yy41:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 619 "ext/standard/var_unserializer.re"
+#line 620 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@@ -884,7 +885,7 @@ yy41:
ZVAL_STRINGL(*rval, str, len, 0);
return 1;
}
-#line 888 "ext/standard/var_unserializer.c"
+#line 889 "ext/standard/var_unserializer.c"
yy46:
yych = *++YYCURSOR;
if (yych == '+') goto yy47;
@@ -905,7 +906,7 @@ yy48:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 591 "ext/standard/var_unserializer.re"
+#line 592 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@@ -933,7 +934,7 @@ yy48:
ZVAL_STRINGL(*rval, str, len, 1);
return 1;
}
-#line 937 "ext/standard/var_unserializer.c"
+#line 938 "ext/standard/var_unserializer.c"
yy53:
yych = *++YYCURSOR;
if (yych <= '/') {
@@ -1021,7 +1022,7 @@ yy61:
}
yy63:
++YYCURSOR;
-#line 581 "ext/standard/var_unserializer.re"
+#line 582 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
use_double:
@@ -1031,7 +1032,7 @@ use_double:
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
return 1;
}
-#line 1035 "ext/standard/var_unserializer.c"
+#line 1036 "ext/standard/var_unserializer.c"
yy65:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1090,7 +1091,7 @@ yy73:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 566 "ext/standard/var_unserializer.re"
+#line 567 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
@@ -1105,7 +1106,7 @@ yy73:
return 1;
}
-#line 1109 "ext/standard/var_unserializer.c"
+#line 1110 "ext/standard/var_unserializer.c"
yy76:
yych = *++YYCURSOR;
if (yych == 'N') goto yy73;
@@ -1132,7 +1133,7 @@ yy79:
if (yych <= '9') goto yy79;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 539 "ext/standard/var_unserializer.re"
+#line 540 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
int digits = YYCURSOR - start - 3;
@@ -1159,7 +1160,7 @@ yy79:
ZVAL_LONG(*rval, parse_iv(start + 2));
return 1;
}
-#line 1163 "ext/standard/var_unserializer.c"
+#line 1164 "ext/standard/var_unserializer.c"
yy83:
yych = *++YYCURSOR;
if (yych <= '/') goto yy18;
@@ -1167,24 +1168,24 @@ yy83:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 532 "ext/standard/var_unserializer.re"
+#line 533 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_BOOL(*rval, parse_iv(start + 2));
return 1;
}
-#line 1178 "ext/standard/var_unserializer.c"
+#line 1179 "ext/standard/var_unserializer.c"
yy87:
++YYCURSOR;
-#line 525 "ext/standard/var_unserializer.re"
+#line 526 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_NULL(*rval);
return 1;
}
-#line 1188 "ext/standard/var_unserializer.c"
+#line 1189 "ext/standard/var_unserializer.c"
yy89:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1207,7 +1208,7 @@ yy91:
if (yych <= '9') goto yy91;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 502 "ext/standard/var_unserializer.re"
+#line 503 "ext/standard/var_unserializer.re"
{
long id;
@@ -1230,7 +1231,7 @@ yy91:
return 1;
}
-#line 1234 "ext/standard/var_unserializer.c"
+#line 1235 "ext/standard/var_unserializer.c"
yy95:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1253,7 +1254,7 @@ yy97:
if (yych <= '9') goto yy97;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 481 "ext/standard/var_unserializer.re"
+#line 482 "ext/standard/var_unserializer.re"
{
long id;
@@ -1274,9 +1275,9 @@ yy97:
return 1;
}
-#line 1278 "ext/standard/var_unserializer.c"
+#line 1279 "ext/standard/var_unserializer.c"
}
-#line 830 "ext/standard/var_unserializer.re"
+#line 831 "ext/standard/var_unserializer.re"
return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index cd4d53b5c1..9a9c693337 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -21,6 +21,7 @@
#include "php.h"
#include "ext/standard/php_var.h"
#include "php_incomplete_class.h"
+#include "Zend/zend_interfaces.h"
/* {{{ reference-handling for unserializer: var_* */
#define VAR_ENTRIES_MAX 1024
@@ -404,7 +405,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
Serializable interface have eventually an inconsistent behavior at this place when
unserialized from a manipulated string. Additionaly the interal classes can possibly
crash PHP so they're still disabled here. */
- if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
+ if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
object_init_ex(*rval, ce);
} else {
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
View Lorry Controller Status