mirror of
https://github.com/php/php-src.git
synced 2024-09-23 19:07:26 +00:00
Merge branch 'PHP-5.6' into PHP-7.0
This commit is contained in:
Nikita Popov
commit
e0ca519a8b
63
ext/standard/tests/serialize/bug69425.phpt
Normal file
63
ext/standard/tests/serialize/bug69425.phpt
Normal file
@ -0,0 +1,63 @@
|
||||
--TEST--
|
||||
Bug #69425: Use After Free in unserialize()
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
// POC 1
|
||||
class test
|
||||
{
|
||||
var $ryat;
|
||||
|
||||
function __wakeup()
|
||||
{
|
||||
$this->ryat = 1;
|
||||
}
|
||||
}
|
||||
|
||||
$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}');
|
||||
var_dump($data);
|
||||
|
||||
// POC 2
|
||||
$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}');
|
||||
var_dump($data);
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
int(1)
|
||||
array(2) {
|
||||
[0]=>
|
||||
object(DateInterval)#1 (15) {
|
||||
["y"]=>
|
||||
int(-1)
|
||||
["m"]=>
|
||||
int(-1)
|
||||
["d"]=>
|
||||
int(-1)
|
||||
["h"]=>
|
||||
int(-1)
|
||||
["i"]=>
|
||||
int(-1)
|
||||
["s"]=>
|
||||
int(-1)
|
||||
["weekday"]=>
|
||||
int(-1)
|
||||
["weekday_behavior"]=>
|
||||
int(-1)
|
||||
["first_last_day_of"]=>
|
||||
int(-1)
|
||||
["invert"]=>
|
||||
int(0)
|
||||
["days"]=>
|
||||
int(-1)
|
||||
["special_type"]=>
|
||||
int(0)
|
||||
["special_amount"]=>
|
||||
int(-1)
|
||||
["have_weekday_relative"]=>
|
||||
int(0)
|
||||
["have_special_relative"]=>
|
||||
int(0)
|
||||
}
|
||||
[1]=>
|
||||
int(2)
|
||||
}
|
||||
39
ext/standard/tests/serialize/bug70513.phpt
Normal file
39
ext/standard/tests/serialize/bug70513.phpt
Normal file
@ -0,0 +1,39 @@
|
||||
--TEST--
|
||||
Bug #70513: GMP Deserialization Type Confusion Vulnerability
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded('gmp')) die('skip requires gmp');
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
class obj
|
||||
{
|
||||
var $ryat;
|
||||
|
||||
function __wakeup()
|
||||
{
|
||||
$this->ryat = 1;
|
||||
}
|
||||
}
|
||||
|
||||
$obj = new stdClass;
|
||||
$obj->aa = 1;
|
||||
$obj->bb = 2;
|
||||
|
||||
$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}';
|
||||
$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
|
||||
$x = unserialize($exploit);
|
||||
var_dump($x);
|
||||
var_dump($obj);
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
array(1) {
|
||||
[0]=>
|
||||
int(1)
|
||||
}
|
||||
object(stdClass)#1 (2) {
|
||||
["aa"]=>
|
||||
int(1)
|
||||
["bb"]=>
|
||||
int(2)
|
||||
}
|
||||
18
ext/standard/tests/serialize/bug72731.phpt
Normal file
18
ext/standard/tests/serialize/bug72731.phpt
Normal file
@ -0,0 +1,18 @@
|
||||
--TEST--
|
||||
Bug #72731: Type Confusion in Object Deserialization
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
class obj {
|
||||
var $ryat;
|
||||
function __wakeup() {
|
||||
$this->ryat = 0x1122334455;
|
||||
}
|
||||
}
|
||||
|
||||
$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
|
||||
var_dump(unserialize($poc));
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
int(73588229205)
|
||||
Loading…
Reference in New Issue
Block a user