diff options
Diffstat (limited to 'ext/standard/tests/serialize/bug70219_1.phpt')
-rw-r--r-- | ext/standard/tests/serialize/bug70219_1.phpt | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt new file mode 100644 index 0000000000..f9c4c672fd --- /dev/null +++ b/ext/standard/tests/serialize/bug70219_1.phpt @@ -0,0 +1,46 @@ +--TEST-- +Bug #70219 Use after free vulnerability in session deserializer +--FILE-- +<?php +ini_set('session.serialize_handler', 'php_serialize'); +session_start(); + +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + session_decode($data); + } +} + +$inner = 'r:2;'; +$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = 'hi'.$i; +} + +var_dump($data); +var_dump($_SESSION); +?> +--EXPECTF-- +array(2) { + [0]=> + &object(obj)#%d (1) { + ["data"]=> + NULL + } + [1]=> + object(obj)#%d (1) { + ["data"]=> + NULL + } +} +object(obj)#1 (1) { + ["data"]=> + NULL +}
\ No newline at end of file |