archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
php-src/ext/standard/tests/serialize/serialization_objects_incomplete.phpt
Máté Kocsis adb45a63c0
Fix GH-9186 @strict-properties can be bypassed using unserialization (#9354) 
* Emit deprecation warnings when adding dynamic properties to classes during unserialization - this will become an Error in php 9.0.
  (Adding dynamic properties in other contexts was already a deprecation warning - the use case of unserialization was overlooked)
* Throw an error when attempting to add a dynamic property to a `readonly` class when unserializing
* Add new serialization methods `__serialize`/`__unserialize` for SplFixedArray to avoid creating deprecated dynamic
  properties that would then be added to the backing fixed-size array
* Don't add named dynamic/declared properties (e.g. $obj->foo) of SplFixedArray to the backing array when unserializing
* Update tests to declare properties or to expect the deprecation warning
* Add news entry

Co-authored-by: Tyson Andre <tysonandre775@hotmail.com>
2022-08-30 07:46:32 -04:00

14 lines
264 B
PHP
Raw Permalink Blame History

--TEST--
Check behaviour of incomplete class
--FILE--
<?php
$incomplete = unserialize('O:1:"C":1:{s:1:"p";i:1;}');
var_dump($incomplete);
?>
--EXPECT--
object(__PHP_Incomplete_Class)#1 (2) {
["__PHP_Incomplete_Class_Name"]=>
string(1) "C"
["p"]=>
int(1)
}
Reference in a new issue View git blame Copy permalink