mirror of
https://github.com/php/php-src.git
synced 2024-09-23 19:07:26 +00:00
53 lines
900 B
PHP
53 lines
900 B
PHP
--TEST--
|
|
Bug #70219 Use after free vulnerability in session deserializer
|
|
--SKIPIF--
|
|
<?php
|
|
if (!extension_loaded("session")) {
|
|
die("skip Session module not loaded");
|
|
}
|
|
?>
|
|
--FILE--
|
|
<?php
|
|
ini_set('session.serialize_handler', 'php_serialize');
|
|
session_start();
|
|
|
|
class obj implements Serializable {
|
|
var $data;
|
|
function serialize() {
|
|
return serialize($this->data);
|
|
}
|
|
function unserialize($data) {
|
|
session_decode($data);
|
|
}
|
|
}
|
|
|
|
$inner = 'r:2;';
|
|
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
|
|
|
|
$data = unserialize($exploit);
|
|
|
|
for ($i = 0; $i < 5; $i++) {
|
|
$v[$i] = 'hi'.$i;
|
|
}
|
|
|
|
var_dump($data);
|
|
var_dump($_SESSION);
|
|
?>
|
|
--EXPECTF--
|
|
array(2) {
|
|
[0]=>
|
|
object(obj)#%d (1) {
|
|
["data"]=>
|
|
NULL
|
|
}
|
|
[1]=>
|
|
object(obj)#%d (1) {
|
|
["data"]=>
|
|
NULL
|
|
}
|
|
}
|
|
object(obj)#1 (1) {
|
|
["data"]=>
|
|
NULL
|
|
}
|