Diving into unserialize()
How PHP’s unserialize() works, and why it leads to vulnerabilities
Read more about unserialize vulnerabilities found in the wild here:
Deserialization Bugs in the Wild
A totally unscientific analysis of deserialization vulns found in the wild
PHP’s unserialize() function
In a nutshell, PHP’s unserialize() function takes a string (representing a serialized object) and converts it back to a PHP object.
Basically, when you need to store a PHP object or transfer it over the network, you first use serialize() to pack it up.
serialize(): PHP object -> plain old string that represents the obj
Then when you need to use that data again, you use unserialize() to unpack and get the data that you want. Neato, am I right?
unserialize(): string containing object data -> original object
According to PHP docs, unserialize() “creates a PHP value from a stored representation”, and ”takes a single serialized variable and converts it back into a PHP value”.
It takes two parameters: str and options. str is the parameter containing the serialized string waiting to be deserialized. options is the array containing the options that control certain function behaviors. In unserialize() particularly, the only valid user-defined option is allowed_classes. allowed_classes specify the class names that should be accepted.
We’ll dive into allowed_classes further, but essentially, when unserialize() encounters an object of a class that isn’t to be accepted, then the object will be instantiated as __PHP_Incomplete_Class instead.
How it works
Step 0: What are PHP magic methods?
PHP magic methods are function names in PHP that have “magical” properties. Learn more about them…