File tree Expand file tree Collapse file tree 4 files changed +611
-550
lines changed Expand file tree Collapse file tree 4 files changed +611
-550
lines changed Original file line number Diff line number Diff line change @@ -13,6 +13,10 @@ PHP NEWS
1313 . Reverted fix for bug #73530 (Unsetting result set may reset other result
1414 set). (cmb)
1515
16+ - Standard:
17+ . Fixed bug #70213 (Unserialize context shared on double class lookup).
18+ (Taoguang Chen)
19+
162008 Dec 2016, PHP 5.6.29
1721
1822- Mbstring:
Original file line number Diff line number Diff line change 1+ --TEST--
2+ Bug #70213: Unserialize context shared on double class lookup
3+ --FILE--
4+ <?php
5+
6+ ini_set ('unserialize_callback_func ' , 'evil ' );
7+
8+ function evil () {
9+ function __autoload ($ arg
10+ var_dump (unserialize ('R:1; ' ));
11+ }
12+ }
13+
14+ var_dump (unserialize ('a:2:{i:0;i:42;i:1;O:4:"evil":0:{}} ' ));
15+
16+ ?>
17+ --EXPECTF--
18+ Notice: unserialize(): Error at offset 4 of 4 bytes in %s on line %d
19+ bool(false)
20+
21+ Warning: unserialize(): Function evil() hasn't defined the class it was called for in %s on line %d
22+ array(2) {
23+ [0]=>
24+ int(42)
25+ [1]=>
26+ object(__PHP_Incomplete_Class)#1 (1) {
27+ ["__PHP_Incomplete_Class_Name"]=>
28+ string(4) "evil"
29+ }
30+ }
You can’t perform that action at this time.
0 commit comments