Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

--TEST-- Phar with unsafe object in metadata does not unserialize on reading a file. --EXT..

Decoded Output download

--TEST--
Phar with unsafe object in metadata does not unserialize on reading a file.
--EXTENSIONS--
phar
--INI--
phar.require_hash=0
phar.readonly=0
--FILE--
<?php
class EchoesOnWakeup {
    public function __wakeup() {
        echo "In wakeup
";
    }
}
$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar.php';
$pname = 'phar://' . $fname;
$file = "<?php __HALT_COMPILER(); ?>";

$files = array();
$files['a'] = array('cont' => 'contents of file a');
include 'files/phar_test.inc';

echo "Reading file contents through stream wrapper
";
foreach($files as $name => $cont) {
    var_dump(file_get_contents($pname.'/'.$name));
}

$phar = new Phar($fname);
echo "Original metadata
";
var_dump($phar->getMetadata());
$phar->setMetadata(new EchoesOnWakeup());
unset($phar);
// NOTE: Phar will use the cached value of metadata if setMetaData was called on that Phar path before.
// Save the writes to the phar and use a different file path.
$fname_new = "$fname.copy.php";
copy($fname, $fname_new);
$phar = new Phar($fname_new);
echo "Calling getMetadata
";
var_dump($phar->getMetadata());
echo "Calling getMetadata with no allowed_classes
";
var_dump($phar->getMetadata(['allowed_classes' => []]));
echo "Calling getMetadata with EchoesOnWakeup allowed
";
var_dump($phar->getMetadata(['allowed_classes' => [EchoesOnWakeup::class]]));
// Part of this is a test that there are no unexpected behaviors when both selMetadata and getMetadata are used
$phar->setMetaData([new EchoesOnWakeup(), new stdClass()]);
echo "Calling getMetadata with too low max_depth
";
var_dump($phar->getMetadata(['max_depth' => 1]));
echo "Calling getMetadata with some allowed classes
";
var_dump($phar->getMetadata(['allowed_classes' => [EchoesOnWakeup::class]]));
echo "Calling getMetadata with no options returns the original metadata value
";
var_dump($phar->getMetadata());
unset($phar);

?>
--CLEAN--
<?php
unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php');
unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php.copy.php');
?>
--EXPECTF--
Reading file contents through stream wrapper
string(18) "contents of file a"
Original metadata
NULL
Calling getMetadata
In wakeup
object(EchoesOnWakeup)#2 (0) {
}
Calling getMetadata with no allowed_classes
object(__PHP_Incomplete_Class)#2 (1) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(14) "EchoesOnWakeup"
}
Calling getMetadata with EchoesOnWakeup allowed
In wakeup
object(EchoesOnWakeup)#2 (0) {
}
Calling getMetadata with too low max_depth

Warning: Phar::getMetadata(): Maximum depth of 1 exceeded. The depth limit can be changed using the max_depth unserialize() option or the unserialize_max_depth ini setting in %sphar_metadata_write3.php on line 39

Notice: Phar::getMetadata(): Error at offset 34 of 59 bytes in %sphar_metadata_write3.php on line 39
bool(false)
Calling getMetadata with some allowed classes
In wakeup
array(2) {
  [0]=>
  object(EchoesOnWakeup)#4 (0) {
  }
  [1]=>
  object(__PHP_Incomplete_Class)#5 (1) {
    ["__PHP_Incomplete_Class_Name"]=>
    string(8) "stdClass"
  }
}
Calling getMetadata with no options returns the original metadata value
array(2) {
  [0]=>
  object(EchoesOnWakeup)#2 (0) {
  }
  [1]=>
  object(stdClass)#3 (0) {
  }
}

Did this file decode correctly?

Original Code

--TEST--
Phar with unsafe object in metadata does not unserialize on reading a file.
--EXTENSIONS--
phar
--INI--
phar.require_hash=0
phar.readonly=0
--FILE--
<?php
class EchoesOnWakeup {
    public function __wakeup() {
        echo "In wakeup\n";
    }
}
$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar.php';
$pname = 'phar://' . $fname;
$file = "<?php __HALT_COMPILER(); ?>";

$files = array();
$files['a'] = array('cont' => 'contents of file a');
include 'files/phar_test.inc';

echo "Reading file contents through stream wrapper\n";
foreach($files as $name => $cont) {
    var_dump(file_get_contents($pname.'/'.$name));
}

$phar = new Phar($fname);
echo "Original metadata\n";
var_dump($phar->getMetadata());
$phar->setMetadata(new EchoesOnWakeup());
unset($phar);
// NOTE: Phar will use the cached value of metadata if setMetaData was called on that Phar path before.
// Save the writes to the phar and use a different file path.
$fname_new = "$fname.copy.php";
copy($fname, $fname_new);
$phar = new Phar($fname_new);
echo "Calling getMetadata\n";
var_dump($phar->getMetadata());
echo "Calling getMetadata with no allowed_classes\n";
var_dump($phar->getMetadata(['allowed_classes' => []]));
echo "Calling getMetadata with EchoesOnWakeup allowed\n";
var_dump($phar->getMetadata(['allowed_classes' => [EchoesOnWakeup::class]]));
// Part of this is a test that there are no unexpected behaviors when both selMetadata and getMetadata are used
$phar->setMetaData([new EchoesOnWakeup(), new stdClass()]);
echo "Calling getMetadata with too low max_depth\n";
var_dump($phar->getMetadata(['max_depth' => 1]));
echo "Calling getMetadata with some allowed classes\n";
var_dump($phar->getMetadata(['allowed_classes' => [EchoesOnWakeup::class]]));
echo "Calling getMetadata with no options returns the original metadata value\n";
var_dump($phar->getMetadata());
unset($phar);

?>
--CLEAN--
<?php
unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php');
unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php.copy.php');
?>
--EXPECTF--
Reading file contents through stream wrapper
string(18) "contents of file a"
Original metadata
NULL
Calling getMetadata
In wakeup
object(EchoesOnWakeup)#2 (0) {
}
Calling getMetadata with no allowed_classes
object(__PHP_Incomplete_Class)#2 (1) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(14) "EchoesOnWakeup"
}
Calling getMetadata with EchoesOnWakeup allowed
In wakeup
object(EchoesOnWakeup)#2 (0) {
}
Calling getMetadata with too low max_depth

Warning: Phar::getMetadata(): Maximum depth of 1 exceeded. The depth limit can be changed using the max_depth unserialize() option or the unserialize_max_depth ini setting in %sphar_metadata_write3.php on line 39

Notice: Phar::getMetadata(): Error at offset 34 of 59 bytes in %sphar_metadata_write3.php on line 39
bool(false)
Calling getMetadata with some allowed classes
In wakeup
array(2) {
  [0]=>
  object(EchoesOnWakeup)#4 (0) {
  }
  [1]=>
  object(__PHP_Incomplete_Class)#5 (1) {
    ["__PHP_Incomplete_Class_Name"]=>
    string(8) "stdClass"
  }
}
Calling getMetadata with no options returns the original metadata value
array(2) {
  [0]=>
  object(EchoesOnWakeup)#2 (0) {
  }
  [1]=>
  object(stdClass)#3 (0) {
  }
}

Function Calls

None

Variables

None

Stats

MD5 5c09c991db4d5d6c2ee98fe96a5dcf43
Eval Count 0
Decode Time 96 ms