1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--XFAIL-- 4Unfinished merge, needs fix. 5--FILE-- 6<?php 7class obj implements Serializable { 8 var $data; 9 function serialize() { 10 return serialize($this->data); 11 } 12 function unserialize($data) { 13 session_start(); 14 session_decode($data); 15 } 16} 17 18$inner = 'ryat|a:1:{i:0;a:1:{i:1;'; 19$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; 20 21$data = unserialize($exploit); 22 23for ($i = 0; $i < 5; $i++) { 24 $v[$i] = 'hi'.$i; 25} 26 27var_dump($data); 28?> 29--EXPECTF-- 30Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d 31array(2) { 32 [0]=> 33 object(obj)#%d (1) { 34 ["data"]=> 35 NULL 36 } 37 [1]=> 38 &array(1) { 39 ["data"]=> 40 NULL 41 } 42} 43
