#
f2e8c5da |
| 12-Jan-2023 |
Tim Düsterhus |
unserialize: Strictly check for `:{` at object start (#10214) * unserialize: Strictly check for `:{` at object start * unserialize: Update CVE tests It's unlikely that the
unserialize: Strictly check for `:{` at object start (#10214) * unserialize: Strictly check for `:{` at object start * unserialize: Update CVE tests It's unlikely that the object syntax error contributed to the actual CVE. The CVE is rather caused by the incorrect object serialization data of the `C` format. Add a second string without such a syntax error to ensure that path is still executed as well to ensure the CVE is absent. * Fix test expectation in gmp/tests/bug74670.phpt No changes to the input required, because the test actually is intended to verify the behavior for a missing `}`, it's just that the report position changed. * NEWS * UPGRADING
show more ...
|
#
5c355946 |
| 02-Sep-2022 |
Máté Kocsis |
Fix memory leak triggered by unsuccessful dynamic property unserialization Closes GH-9468 |
#
adb45a63 |
| 30-Aug-2022 |
Máté Kocsis |
Fix GH-9186 @strict-properties can be bypassed using unserialization (#9354) * Emit deprecation warnings when adding dynamic properties to classes during unserialization - this will become a
Fix GH-9186 @strict-properties can be bypassed using unserialization (#9354) * Emit deprecation warnings when adding dynamic properties to classes during unserialization - this will become an Error in php 9.0. (Adding dynamic properties in other contexts was already a deprecation warning - the use case of unserialization was overlooked) * Throw an error when attempting to add a dynamic property to a `readonly` class when unserializing * Add new serialization methods `__serialize`/`__unserialize` for SplFixedArray to avoid creating deprecated dynamic properties that would then be added to the backing fixed-size array * Don't add named dynamic/declared properties (e.g. $obj->foo) of SplFixedArray to the backing array when unserializing * Update tests to declare properties or to expect the deprecation warning * Add news entry Co-authored-by: Tyson Andre <tysonandre775@hotmail.com>
show more ...
|
#
6b8d4151 |
| 01-Sep-2021 |
Nikita Popov |
Remove leftover zval_ptr_dtor This should have been dropped as part of a8254ed57685c134073f41251365dc901c1b0ab8. |
#
a8254ed5 |
| 01-Sep-2021 |
Nikita Popov |
Simplify unserialize_callback_func handling |
#
4a4ae45a |
| 12-Aug-2021 |
Nikita Popov |
Fix bug #81142 by adding zend_string_init_existing_interned() Add a new interned string handler that fetches an interned string if it exists, but does not create one if it does not (and
Fix bug #81142 by adding zend_string_init_existing_interned() Add a new interned string handler that fetches an interned string if it exists, but does not create one if it does not (and instead returns a non-interned string). This fixes bug #81142, by preventing the creating of new interned strings for unserialized array keys. Closes GH-7360.
show more ...
|
#
814a9327 |
| 16-Jul-2021 |
Nikita Popov |
Add ZEND_ACC_NOT_SERIALIZABLE flag This prevents serialization and unserialization of a class and its children in a way that does not depend on the zend_class_serialize_deny and zend
Add ZEND_ACC_NOT_SERIALIZABLE flag This prevents serialization and unserialization of a class and its children in a way that does not depend on the zend_class_serialize_deny and zend_class_unserialize_deny handlers that will be going away in PHP 9 together with the Serializable interface. In stubs, `@not-serializable` can be used to set this flag. This patch only uses the new flag for a handful of Zend classes, converting the remainder is left for later. Closes GH-7249. Fixes bug #81111.
show more ...
|
#
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier". 3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted. 4. fixed indentation in some files before |
show more ...
|
#
fd1d5ec2 |
| 28-Apr-2021 |
Nikita Popov |
Add ZEND_CLASS_CONST_FLAGS() macro And drop Z_ACCESS_FLAGS(). We no longer store *only* access flags in these. |
#
f681c4a7 |
| 09-Apr-2021 |
Dmitry Stogov |
Use Fast Class Cache to speedup object unserialization |
#
f191e4f2 |
| 08-Apr-2021 |
Dmitry Stogov |
Avoid destructor call for LONG keys |
#
556d7526 |
| 08-Apr-2021 |
Dmitry Stogov |
Prevent call of var_push_dtor_value() on hot path. When serialising object properties, they are oftet may override the default values, however default values are most often scalars, inte
Prevent call of var_push_dtor_value() on hot path. When serialising object properties, they are oftet may override the default values, however default values are most often scalars, interned strings or immutable arrays.
show more ...
|
#
b3e59dc1 |
| 07-Apr-2021 |
Dmitry Stogov |
unserialize() optimization |
#
269c8dac |
| 10-Jun-2020 |
Ilija Tovilo |
Implement enums RFC: https://wiki.php.net/rfc/enumerations Co-authored-by: Nikita Popov <nikita.ppv@gmail.com> Closes GH-6489. |
#
0f6c0020 |
| 25-Feb-2021 |
Dmitry Stogov |
Speed up __sleep() and __wakeup() calls |
#
3b29f516 |
| 20-Feb-2021 |
Dmitry Stogov |
Revert "Remove class validation. zend_lookup_class_ex() performs it anyway." This reverts commit 61cf1355fd53b6556f0502510ba3e1efbd04d242. Class name validation is only performed if
Revert "Remove class validation. zend_lookup_class_ex() performs it anyway." This reverts commit 61cf1355fd53b6556f0502510ba3e1efbd04d242. Class name validation is only performed if key is not passed. Here, lc_name is passed as key.
show more ...
|
#
61cf1355 |
| 20-Feb-2021 |
Dmitry Stogov |
Remove class validation. zend_lookup_class_ex() performs it anyway. |
#
e0328473 |
| 18-Feb-2021 |
Nikita Popov |
Initialize property to UNDEF on unserialize overwrite The UNDEF marker here is important to prevent the creation of a reference to the property currently being overwritten, which wou
Initialize property to UNDEF on unserialize overwrite The UNDEF marker here is important to prevent the creation of a reference to the property currently being overwritten, which would then leak. This fixes oss-fuzz 6029559193534464, which was incorrectly merged into oss-fuzz #30584 (which is reported at https://github.com/google/oss-fuzz/issues/5211).
show more ...
|
#
b87080f3 |
| 18-Feb-2021 |
Nikita Popov |
Don't use unmangled name if property not found This restores the previous behavior for this case. We'll continue to use the mangled name, even if it does not correspond to a declared
Don't use unmangled name if property not found This restores the previous behavior for this case. We'll continue to use the mangled name, even if it does not correspond to a declared property. This also fixes an assertion failure for the case of property overwrite, as the add_new was not guaranteed to be "new" previously. Fixes oss-fuzz #31045.
show more ...
|
#
76b36356 |
| 17-Feb-2021 |
Dmitry Stogov |
unserialize() optimization. Omit class name validation before hash lookup, and perform it only before autoloading. |
#
081349fe |
| 16-Feb-2021 |
Dmitry Stogov |
Improved unserialize() performance. Checks for object propery "visibility change" were moved, to be performed only if name/visibility had been really changed. |
#
141c4be7 |
| 15-Jan-2021 |
Nikita Popov |
Limit unserialization element count more aggressively This is slightly more aggressive about rejecting obviously incorrect element counts. Previously the number of elements was allowed t
Limit unserialization element count more aggressively This is slightly more aggressive about rejecting obviously incorrect element counts. Previously the number of elements was allowed to match the number of characters. Now it is the number of characters divided by two (this can actually be increased further to at least 4). This doesn't really matter in the grand scheme of things (as it just cuts maximum memory usage by half), but should fix oss-fuzz #29356.
show more ...
|
#
3e01f5af |
| 15-Jan-2021 |
Nikita Popov |
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool is retained as an alias.
show more ...
|
#
2d467abc |
| 07-Dec-2020 |
Nikita Popov |
Fix another typed resource issue in unserialization We also need to discard old entries in the ref_props HT when values are overwritten. We should really forbid these kinds of o
Fix another typed resource issue in unserialization We also need to discard old entries in the ref_props HT when values are overwritten. We should really forbid these kinds of overwrites. I believe they can only occur in manually crafted serialization strings, and cause so many problems... Fixes oss-fuzz #28257.
show more ...
|
#
77325c44 |
| 04-Dec-2020 |
Nikita Popov |
Fix removal of type source during unserialization Missed a check for info in this code. Add it, and add an assertion in type source removal to make it easier to catch this issue.
Fix removal of type source during unserialization Missed a check for info in this code. Add it, and add an assertion in type source removal to make it easier to catch this issue. Fixes oss-fuzz #28208 and #28257.
show more ...
|