1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--SKIPIF-- 4<?php include __DIR__ . '/../../../session/tests/skipif.inc'; ?> 5--FILE-- 6<?php 7ini_set('session.serialize_handler', 'php_serialize'); 8session_start(); 9 10class obj implements Serializable { 11 var $data; 12 function serialize() { 13 return serialize($this->data); 14 } 15 function unserialize($data) { 16 session_decode($data); 17 } 18} 19 20$inner = 'r:2;'; 21$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; 22 23$data = unserialize($exploit); 24 25for ($i = 0; $i < 5; $i++) { 26 $v[$i] = 'hi'.$i; 27} 28 29var_dump($data); 30var_dump($_SESSION); 31?> 32--EXPECTF-- 33array(2) { 34 [0]=> 35 &object(obj)#%d (1) { 36 ["data"]=> 37 NULL 38 } 39 [1]=> 40 object(obj)#%d (1) { 41 ["data"]=> 42 NULL 43 } 44} 45object(obj)#1 (1) { 46 ["data"]=> 47 NULL 48} 49
