1--TEST-- 2Bug #72785: allowed_classes only applies to outermost unserialize() 3--FILE-- 4<?php 5 6// Forbidden class 7class A {} 8 9$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}'; 10$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}'; 11var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']])); 12 13?> 14--EXPECT-- 15object(ArrayObject)#1 (1) { 16 ["storage":"ArrayObject":private]=> 17 array(1) { 18 [0]=> 19 object(__PHP_Incomplete_Class)#2 (1) { 20 ["__PHP_Incomplete_Class_Name"]=> 21 string(1) "A" 22 } 23 } 24} 25
