Fix bug #72785 - allowed_classes only applies to outermost unserialize()

Author: smalyshev

ext/standard/php_var.h

@@ -45,12 +45,12 @@ PHPAPI void php_var_serialize(smart_str *buf, zval *struc, php_serialize_data_t
 PHPAPI int php_var_unserialize(zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash);
 PHPAPI int php_var_unserialize_ref(zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash);
 PHPAPI int php_var_unserialize_intern(zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash);
-PHPAPI int php_var_unserialize_ex(zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash, HashTable *classes);
 
 PHPAPI php_serialize_data_t php_var_serialize_init(void);
 PHPAPI void php_var_serialize_destroy(php_serialize_data_t d);
 PHPAPI php_unserialize_data_t php_var_unserialize_init(void);
 PHPAPI void php_var_unserialize_destroy(php_unserialize_data_t d);
+PHPAPI void php_var_unserialize_set_allowed_classes(php_unserialize_data_t d, HashTable *classes);
 
 #define PHP_VAR_SERIALIZE_INIT(d) \
 	(d) = php_var_serialize_init()

ext/standard/tests/serialize/bug72785.phpt

@@ -0,0 +1,24 @@
+--TEST--
+Bug #72785: allowed_classes only applies to outermost unserialize()
+--FILE--
+<?php
+
+// Forbidden class
+class A {}
+
+$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}';
+$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}';
+var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']]));
+
+?>
+--EXPECT--
+object(ArrayObject)#1 (1) {
+  ["storage":"ArrayObject":private]=>
+  array(1) {
+    [0]=>
+    object(__PHP_Incomplete_Class)#2 (1) {
+      ["__PHP_Incomplete_Class_Name"]=>
+      string(1) "A"
+    }
+  }
+}

ext/standard/tests/serialize/unserialize_error_001.phpt

@@ -13,40 +13,11 @@ var_dump(unserialize($s, ["allowed_classes" => 0]));
 var_dump(unserialize($s, ["allowed_classes" => 1]));
 
 --EXPECTF--
-array(3) {
-  [0]=>
-  object(__PHP_Incomplete_Class)#%d (2) {
-    ["__PHP_Incomplete_Class_Name"]=>
-    string(3) "foo"
-    ["x"]=>
-    string(3) "bar"
-  }
-  [1]=>
-  int(2)
-  [2]=>
-  string(1) "3"
-}
-array(3) {
-  [0]=>
-  object(__PHP_Incomplete_Class)#%d (2) {
-    ["__PHP_Incomplete_Class_Name"]=>
-    string(3) "foo"
-    ["x"]=>
-    string(3) "bar"
-  }
-  [1]=>
-  int(2)
-  [2]=>
-  string(1) "3"
-}
-array(3) {
-  [0]=>
-  object(foo)#%d (1) {
-    ["x"]=>
-    string(3) "bar"
-  }
-  [1]=>
-  int(2)
-  [2]=>
-  string(1) "3"
-}
+Warning: unserialize(): allowed_classes option should be array or boolean in %s on line %d
+bool(false)
+
+Warning: unserialize(): allowed_classes option should be array or boolean in %s on line %d
+bool(false)
+
+Warning: unserialize(): allowed_classes option should be array or boolean in %s on line %d
+bool(false)

ext/standard/var.c

@@ -1079,6 +1079,12 @@ PHP_FUNCTION(unserialize)
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 	if(options != NULL) {
 		classes = zend_hash_str_find(Z_ARRVAL_P(options), "allowed_classes", sizeof("allowed_classes")-1);
+		if (classes && Z_TYPE_P(classes) != IS_ARRAY && Z_TYPE_P(classes) != IS_TRUE && Z_TYPE_P(classes) != IS_FALSE) {
+			php_error_docref(NULL, E_WARNING, "allowed_classes option should be array or boolean");
+			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+			RETURN_FALSE;
+		}
+
 		if(classes && (Z_TYPE_P(classes) == IS_ARRAY || !zend_is_true(classes))) {
 			ALLOC_HASHTABLE(class_hash);
 			zend_hash_init(class_hash, (Z_TYPE_P(classes) == IS_ARRAY)?zend_hash_num_elements(Z_ARRVAL_P(classes)):0, NULL, NULL, 0);
@@ -1094,9 +1100,10 @@ PHP_FUNCTION(unserialize)
 		        zend_string_release(lcname);
 			} ZEND_HASH_FOREACH_END();
 		}
+		php_var_unserialize_set_allowed_classes(var_hash, class_hash);
 	}
 
-	if (!php_var_unserialize_ex(return_value, &p, p + buf_len, &var_hash, class_hash)) {
+	if (!php_var_unserialize(return_value, &p, p + buf_len, &var_hash)) {
 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 		if (class_hash) {
 			zend_hash_destroy(class_hash);