File tree Expand file tree Collapse file tree 4 files changed +607
-547
lines changed Expand file tree Collapse file tree 4 files changed +607
-547
lines changed Original file line number Diff line number Diff line change @@ -43,8 +43,11 @@ PHP NEWS
4343 set). (cmb)
4444
4545- Standard:
46- . Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
47- (Bruce Weirdan)
46+ . Fixed bug #73594 (dns_get_record does not populate $additional out
47+ parameter). (Bruce Weirdan)
48+ . Fixed bug #70213 (Unserialize context shared on double class lookup).
49+ (Taoguang Chen)
50+
4851
4952- Zlib:
5053 . Fixed bug #73373 (deflate_add does not verify that output was not truncated).
Original file line number Diff line number Diff line change 1+ --TEST--
2+ Bug #70213: Unserialize context shared on double class lookup
3+ --FILE--
4+ <?php
5+
6+ ini_set ('unserialize_callback_func ' , 'evil ' );
7+
8+ function evil () {
9+ function __autoload ($ arg
10+ var_dump (unserialize ('R:1; ' ));
11+ }
12+ }
13+
14+ var_dump (unserialize ('a:2:{i:0;i:42;i:1;O:4:"evil":0:{}} ' ));
15+
16+ ?>
17+ --EXPECTF--
18+ Notice: unserialize(): Error at offset 4 of 4 bytes in %s on line %d
19+ bool(false)
20+
21+ Warning: unserialize(): Function evil() hasn't defined the class it was called for in %s on line %d
22+ array(2) {
23+ [0]=>
24+ int(42)
25+ [1]=>
26+ object(__PHP_Incomplete_Class)#1 (1) {
27+ ["__PHP_Incomplete_Class_Name"]=>
28+ string(4) "evil"
29+ }
30+ }
You can’t perform that action at this time.
0 commit comments