-
Notifications
You must be signed in to change notification settings - Fork 7.9k
Closed as not planned
Closed as not planned
Copy link
Labels
Description
Description
Description:
According to the PHP manual, as of PHP 8.4.0, passing a non-array value for the allowed_classes
option in unserialize()
should trigger a TypeError
or ValueError
. However, providing ['allowed_classes' => true]
still silently reconstructs the object without any exception.
Steps to Reproduce:
-
Create a file named
test.php
with the following contents:<?php declare(strict_types=1); class Person { public string $name; public int $age; public function __construct(string $name, int $age) { $this->name = $name; $this->age = $age; } } $serialized = serialize(new Person('Alice', 30)); $value = $serialized; // Pass boolean instead of an array: $result = unserialize($value, ['allowed_classes' => true]); var_dump($result);
-
Run it from the command line:
php test.php
Actual Result:
object(Person)#2 (2) {
["name"]=> string(5) "Alice"
["age"]=> int(30)
}
Expected Result:
A TypeError
or ValueError
should be thrown, for example:
PHP Fatal error: Uncaught TypeError: unserialize(): "allowed_classes" option must be an array of class names in ...
Reference:
PHP manual on unserialize()
options (8.4.0):
https://www.php.net/manual/en/function.unserialize.php
PHP Version
PHP 8.4.7 (cli) (built: May 9 2025 06:54:31) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.4.7, Copyright (c) Zend Technologies
with Zend OPcache v8.4.7, Copyright (c), by Zend Technologies
Operating System
Ubuntu 24.04