Online PHP editor | refs for 0Chn9

<?php ini_set('error_reporting', '-1'); ini_set('display_errors', '1'); class SerializableClass implements \Serializable { private $foo = 'bar'; public function serialize() { return serialize([$this->foo]); } public function unserialize($serialized) { list($this->foo) = unserialize($serialized); } } class SleepableClass { private $foo = 'bar'; public function __sleep() { return ['foo']; } } function safelyUnserialize($file) { $e = null; $meta = false; // $content = file_get_contents($file); $content = $file; $signalingException = new \UnexpectedValueException(); $prevUnserializeHandler = ini_set('unserialize_callback_func', ''); $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = []) use (&$prevErrorHandler, $signalingException) { if (__FILE__ === $file) { throw $signalingException; } return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false; }); try { $meta = unserialize($content); } catch (\Throwable $e) { if ($e !== $signalingException) { throw $e; } } finally { restore_error_handler(); ini_set('unserialize_callback_func', $prevUnserializeHandler); } return $meta; } echo "\n---------- [ Serializable ] ----------\n\n"; $serializableObject = new SerializableClass(); $serializableValidPayload = serialize($serializableObject); $serializableInvalidPayload = str_replace('"SerializableClass"', '"SerializableClazz"', $serializableValidPayload); echo "\n----- Invalid payload:\n\n"; var_dump($serializableInvalidPayload); echo "\n----- unserialize()\n\n"; var_dump(unserialize($serializableInvalidPayload)); echo "\n----- safelyUnserialize()\n\n"; var_dump(safelyUnserialize($serializableInvalidPayload)); echo "\n---------- [ Sleep / Wakeup ] ----------\n\n"; $sleepableObject = new SleepableClass(); $sleepableValidPayload = serialize($sleepableObject); $sleepableInvalidPayload = str_replace('"SleepableClass"', '"SleepableClazz"', $sleepableValidPayload); echo "\n----- Invalid payload:\n\n"; var_dump($sleepableInvalidPayload); echo "\n----- unserialize()\n\n"; var_dump(unserialize($sleepableInvalidPayload)); echo "\n----- safelyUnserialize()\n\n"; var_dump(safelyUnserialize($sleepableInvalidPayload));