Fix bug #72785 - allowed_classes only applies to outermost unserialize()

author: Stanislav Malyshev <stas@php.net> 2016-09-05 19:56:36 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-09-05 19:56:36 -0700
commit: 747d21cfd2a7414b8d5ace203524f61eab2b8323 (patch)
tree: 95f5dd2695455e6a6f4bf794c33a37bc635da5c4 /ext/standard/tests/serialize/bug72785.phpt
parent: 1928cdcacb3284658682d0cd68ac1ee3cf9cc653 (diff)
download: php-git-747d21cfd2a7414b8d5ace203524f61eab2b8323.tar.gz
1 files changed, 24 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug72785.phpt b/ext/standard/tests/serialize/bug72785.phpt
new file mode 100644
index 0000000000..8bcdf635f7
--- /dev/null
+++ b/ext/standard/tests/serialize/bug72785.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #72785: allowed_classes only applies to outermost unserialize()
+--FILE--
+<?php
+
+// Forbidden class
+class A {}
+
+$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}';
+$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}';
+var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']]));
+
+?>
+--EXPECT--
+object(ArrayObject)#1 (1) {
+  ["storage":"ArrayObject":private]=>
+  array(1) {
+    [0]=>
+    object(__PHP_Incomplete_Class)#2 (1) {
+      ["__PHP_Incomplete_Class_Name"]=>
+      string(1) "A"
+    }
+  }
+}
author	Stanislav Malyshev <stas@php.net>	2016-09-05 19:56:36 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-09-05 19:56:36 -0700
commit	747d21cfd2a7414b8d5ace203524f61eab2b8323 (patch)
tree	95f5dd2695455e6a6f4bf794c33a37bc635da5c4 /ext/standard/tests/serialize/bug72785.phpt
parent	1928cdcacb3284658682d0cd68ac1ee3cf9cc653 (diff)
download	php-git-747d21cfd2a7414b8d5ace203524f61eab2b8323.tar.gz