1--TEST-- 2GH-16590 (UAF in session_encode()) 3--EXTENSIONS-- 4session 5--SKIPIF-- 6<?php include('skipif.inc'); ?> 7--INI-- 8session.use_cookies=0 9session.cache_limiter= 10session.serialize_handler=php 11session.save_handler=files 12--FILE-- 13<?php 14 15class C { 16 function __serialize() { 17 $_SESSION = []; 18 return []; 19 } 20} 21 22session_start(); 23 24$_SESSION['Lz'] = new C; 25for ($i = 0; $i < 2; $i++) { 26 $_SESSION[$i] = $i; 27} 28 29var_dump(session_encode()); 30 31?> 32--EXPECTF-- 33Warning: session_encode(): Skipping numeric key 0 in %s on line %d 34 35Warning: session_encode(): Skipping numeric key 1 in %s on line %d 36string(15) "Lz|O:1:"C":0:{}" 37
