Subject: | Decoding dies on serialized protected attributes |
It seems PHP prepends three fake nul chars to protected attributes of serialized objects.
"Fake" because the key identifier string is "\\0\\0\\0key", not "\0\0\0key".
test and horrible patch attached.
Subject: | 12protectedattr.t |
#!/usr/bin/perl
use Test::More tests => 1;
use PHP::Serialization qw(unserialize serialize);
my $encoded = q|O:7:"Foo\\Bar":1:{s:8:"\0\0\0value";i:1;}|;
my $data = unserialize($encoded);
is( $data->{"\0\0\0value"}, 1 );
Subject: | Serialization.pm.protattr.diff |
diff --git a/PHP/Serialization.pm b/PHP/Serialization.pm
index 9dc3120..66bd089 100644
--- a/PHP/Serialization.pm
+++ b/PHP/Serialization.pm
@@ -104,6 +104,9 @@ sub decode {
my ($self, $string, $class, $shash) = @_;
$sorthash=$shash if defined($shash);
+ # for protected attributes
+ $string =~ s/\\0/\0/g;
+
my $cursor = 0;
$self->{string} = \$string;
$self->{cursor} = \$cursor;
@@ -427,7 +430,9 @@ sub _encode {
$buffer .= sprintf('d:%s;', $val);
}
elsif ( $type eq 'string' ) {
- $buffer .= sprintf('s:%d:"%s";', length($val), $val);
+ my $length = length $val;
+ $val =~ s/\0/\\0/g; # protected attributes
+ $buffer .= qq{s:$length:"$val";};
}
elsif ( $type eq 'array' ) {
if ( ref($val) eq 'ARRAY' ) {