25 lines
515 B
PHP
25 lines
515 B
PHP
--TEST--
|
|
Bug #72785: allowed_classes only applies to outermost unserialize()
|
|
--FILE--
|
|
<?php
|
|
|
|
// Forbidden class
|
|
class A {}
|
|
|
|
$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}';
|
|
$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}';
|
|
var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']]));
|
|
|
|
?>
|
|
--EXPECT--
|
|
object(ArrayObject)#1 (1) {
|
|
["storage":"ArrayObject":private]=>
|
|
array(1) {
|
|
[0]=>
|
|
object(__PHP_Incomplete_Class)#2 (1) {
|
|
["__PHP_Incomplete_Class_Name"]=>
|
|
string(1) "A"
|
|
}
|
|
}
|
|
}
|