diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2017-10-13 15:53:11 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2017-10-13 15:53:11 +0300 |
| commit | f26fc527da442943892f265ea48d94a22c29b2bc (patch) | |
| tree | 673239c871cb50dc329120c28159815f116c1b3e /ext/standard/tests/serialize | |
| parent | b9f9d44b52e3b68335b73314a50b1c72d691ae65 (diff) | |
| download | php-git-f26fc527da442943892f265ea48d94a22c29b2bc.tar.gz | |
Fixed unzserialize(), to disable creation of unsupported data structures through manually crafted strings. (Dmitry)
Diffstat (limited to 'ext/standard/tests/serialize')
| -rw-r--r-- | ext/standard/tests/serialize/bug70172.phpt | 2 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug70963.phpt | 22 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/unserialize_mem_leak.phpt | 5 |
3 files changed, 8 insertions, 21 deletions
diff --git a/ext/standard/tests/serialize/bug70172.phpt b/ext/standard/tests/serialize/bug70172.phpt index 471d1a4b4e..a2359d6434 100644 --- a/ext/standard/tests/serialize/bug70172.phpt +++ b/ext/standard/tests/serialize/bug70172.phpt @@ -19,7 +19,7 @@ $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; -$inner = 'r:2;'; +$inner = 'R:2;'; $exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; $data = unserialize($exploit); diff --git a/ext/standard/tests/serialize/bug70963.phpt b/ext/standard/tests/serialize/bug70963.phpt index 0bdfb2c4c9..c4e2267b04 100644 --- a/ext/standard/tests/serialize/bug70963.phpt +++ b/ext/standard/tests/serialize/bug70963.phpt @@ -25,22 +25,6 @@ array(2) { [1]=> string(4) "test" } -array(2) { - [0]=> - object(Exception)#%d (6) { - ["message":protected]=> - string(0) "" - ["string":"Exception":private]=> - string(0) "" - ["code":protected]=> - int(0) - ["file":protected]=> - string(%d) "%s" - ["line":protected]=> - int(3) - ["previous":"Exception":private]=> - NULL - } - [1]=> - string(4) "test" -} + +Notice: unserialize(): Error at offset %d of %d bytes in %sbug70963.php on line 3 +bool(false) diff --git a/ext/standard/tests/serialize/unserialize_mem_leak.phpt b/ext/standard/tests/serialize/unserialize_mem_leak.phpt index 97c59f9ad1..2a295d83b9 100644 --- a/ext/standard/tests/serialize/unserialize_mem_leak.phpt +++ b/ext/standard/tests/serialize/unserialize_mem_leak.phpt @@ -8,9 +8,12 @@ function foo() { gc_collect_cycles(); } +$str = 'a:1:{i:0;R:1;}'; +foo(unserialize($str)); $str = 'a:1:{i:0;r:1;}'; foo(unserialize($str)); echo "okey"; ?> ---EXPECT-- +--EXPECTF-- +Notice: unserialize(): Error at offset %d of %d bytes in %sunserialize_mem_leak.php on line 9 okey |