SimpleXML allow serialize() calls without warning
| Bug #49800 | SimpleXML allow serialize() calls without warning | ||||
|---|---|---|---|---|---|
| Submitted: | 2009-10-07 09:09 UTC | Modified: | 2009-10-07 12:46 UTC | ||
| From: | wmeler at wp-sa dot pl | Assigned: | |||
| Status: | Closed | Package: | SimpleXML related | ||
| PHP Version: | 5.3.0 | OS: | any | ||
| Private report: | No | CVE-ID: | None | ||
[2009-10-07 09:09 UTC] wmeler at wp-sa dot pl
Description:
------------
simplexml allows serialization which can (and should) be easily forbidden with following patch
--- php-5.3.0/ext/simplexml/simplexml.c 2009-06-11 11:41:15.000000000 +0200
+++ arisphp5/php/ext/simplexml/simplexml.c 2009-10-06 18:39:54.000652000 +0200
@@ -2526,6 +2526,8 @@
sxe_class_entry = zend_register_internal_class(&sxe TSRMLS_CC);
sxe_class_entry->get_iterator = php_sxe_get_iterator;
sxe_class_entry->iterator_funcs.funcs = &php_sxe_iterator_funcs;
+ sxe_class_entry->serialize = zend_class_serialize_deny;
+ sxe_class_entry->unserialize = zend_class_unserialize_deny;
zend_class_implements(sxe_class_entry TSRMLS_CC, 1, zend_ce_traversable);
sxe_object_handlers.get_method = zend_get_std_object_handlers()->get_method;
sxe_object_handlers.get_constructor = zend_get_std_object_handlers()->get_constructor;
Reproduce code:
---------------
<?
echo serialize(simplexml_load_string("<xml/>"));
Expected result:
----------------
Exception: Serialization of 'SimpleXMLElement' is not allowed in ...
Actual result:
--------------
O:16:"SimpleXMLElement":0:{}
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2009-10-07 12:46 UTC] iliaa@php.net
[2010-04-19 17:42 UTC] admin at fazigame dot com