1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--SKIPIF-- 4<?php 5if (!extension_loaded('session')) die('skip session extension not available'); 6?> 7--XFAIL-- 8Unfinished merge, needs fix. 9--FILE-- 10<?php 11class obj implements Serializable { 12 var $data; 13 function serialize() { 14 return serialize($this->data); 15 } 16 function unserialize($data) { 17 session_start(); 18 session_decode($data); 19 } 20} 21 22$inner = 'ryat|a:1:{i:0;a:1:{i:1;'; 23$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; 24 25$data = unserialize($exploit); 26 27for ($i = 0; $i < 5; $i++) { 28 $v[$i] = 'hi'.$i; 29} 30 31var_dump($data); 32?> 33--EXPECTF-- 34Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d 35array(2) { 36 [0]=> 37 object(obj)#%d (1) { 38 ["data"]=> 39 NULL 40 } 41 [1]=> 42 &array(1) { 43 ["data"]=> 44 NULL 45 } 46} 47
