Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

--TEST-- Bug #72785: allowed_classes only applies to outermost unserialize() --FILE-- <?ph..

Decoded Output download

--TEST--
Bug #72785: allowed_classes only applies to outermost unserialize()
--FILE--
<?php

// Forbidden class
class A {}

$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}';
$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}';
var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']]));

?>
--EXPECT--
object(ArrayObject)#1 (1) {
  ["storage":"ArrayObject":private]=>
  array(1) {
    [0]=>
    object(__PHP_Incomplete_Class)#2 (1) {
      ["__PHP_Incomplete_Class_Name"]=>
      string(1) "A"
    }
  }
}

Did this file decode correctly?

Original Code

--TEST--
Bug #72785: allowed_classes only applies to outermost unserialize()
--FILE--
<?php

// Forbidden class
class A {}

$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}';
$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}';
var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']]));

?>
--EXPECT--
object(ArrayObject)#1 (1) {
  ["storage":"ArrayObject":private]=>
  array(1) {
    [0]=>
    object(__PHP_Incomplete_Class)#2 (1) {
      ["__PHP_Incomplete_Class_Name"]=>
      string(1) "A"
    }
  }
}

Function Calls

None

Variables

None

Stats

MD5 cbef879fa5a89a2d019a3197a730d7a8
Eval Count 0
Decode Time 103 ms