archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-18 15:08:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add __sleep and __wakeup functions to prevent serialize/deserialize from being used on PDO objects. Refs PECL #5217

Browse source
This commit is contained in:
Wez Furlong 2005-09-10 17:48:45 +00:00
parent 6b0d0f7ceb
commit efe24c0205
3 changed files with 63 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
ext/pdo/pdo_dbh.c
View file

@ -960,6 +960,22 @@ static PHP_METHOD(PDO, quote)
}
/* }}} */
/* {{{ proto int PDO::__wakeup()
Prevents use of a PDO instance that has been unserialized */
static PHP_METHOD(PDO, __wakeup)
{
zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDO instances");
}
/* }}} */
/* {{{ proto int PDO::__sleep()
Prevents serialization of a PDO instance */
static PHP_METHOD(PDO, __sleep)
{
zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDO instances");
}
/* }}} */
function_entry pdo_dbh_functions[] = {
PHP_ME_MAPPING(__construct, dbh_constructor, NULL)
@ -975,6 +991,8 @@ function_entry pdo_dbh_functions[] = {
PHP_ME(PDO, errorInfo, NULL, ZEND_ACC_PUBLIC)
PHP_ME(PDO, getAttribute, NULL, ZEND_ACC_PUBLIC)
PHP_ME(PDO, quote, NULL, ZEND_ACC_PUBLIC)
PHP_ME(PDO, __wakeup, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
PHP_ME(PDO, __sleep, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
{NULL, NULL, NULL}
};

17
ext/pdo/pdo_stmt.c
View file

@ -1859,6 +1859,21 @@ static PHP_METHOD(PDOStatement, debugDumpParams)
}
/* }}} */
/* {{{ proto int PDOStatement::__wakeup()
Prevents use of a PDOStatement instance that has been unserialized */
static PHP_METHOD(PDOStatement, __wakeup)
{
zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDOStatement instances");
}
/* }}} */
/* {{{ proto int PDOStatement::__sleep()
Prevents serialization of a PDOStatement instance */
static PHP_METHOD(PDOStatement, __sleep)
{
zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDOStatement instances");
}
/* }}} */
function_entry pdo_dbstmt_functions[] = {
PHP_ME(PDOStatement, execute, NULL, ZEND_ACC_PUBLIC)
@ -1880,6 +1895,8 @@ function_entry pdo_dbstmt_functions[] = {
PHP_ME(PDOStatement, nextRowset, NULL, ZEND_ACC_PUBLIC)
PHP_ME(PDOStatement, closeCursor, NULL, ZEND_ACC_PUBLIC)
PHP_ME(PDOStatement, debugDumpParams, NULL, ZEND_ACC_PUBLIC)
PHP_ME(PDOStatement, __wakeup, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
PHP_ME(PDOStatement, __sleep, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
{NULL, NULL, NULL}
};

28
ext/pdo/tests/pecl_bug_5217.phpt Normal file
View file

@ -0,0 +1,28 @@
--TEST--
PDO Common: PECL Bug #5217: serialize/unserialze safety
--SKIPIF--
<?php # vim:ft=php
if (!extension_loaded('pdo')) die('skip');
$dir = getenv('REDIR_TEST_DIR');
if (false == $dir) die('skip no driver');
require_once $dir . 'pdo_test.inc';
PDOTest::skip();
?>
--FILE--
<?php
require getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
$db = PDOTest::factory();
try {
$ser = serialize($db);
debug_zval_dump($ser);
$db = unserialize($ser);
$db->exec('CREATE TABLE test (id int NOT NULL PRIMARY KEY, val VARCHAR(10))');
} catch (Exception $e) {
echo "Safely caught " . $e->getMessage() . "\n";
}
echo "PHP Didn't crash!\n";
?>
--EXPECT--
Safely caught You cannot serialize or unserialize PDO instances
PHP Didn't crash!