Random: fix for issues with serialize()

2025-01-21 21:41:14 +01:00 · 2016-02-14 00:44:03 -06:00 · 2016-02-14 00:44:03 -06:00 · 102d53bd27
commit 102d53bd27
parent f60e365be2
1 changed files with 45 additions and 7 deletions
--- a/phpseclib/Crypt/Random.php
+++ b/phpseclib/Crypt/Random.php
@ -148,13 +148,13 @@ if (!function_exists('crypt_random_string')) {
            session_start();

            $v = $seed = $_SESSION['seed'] = pack('H*', sha1(
-                serialize($_SERVER) .
-                serialize($_POST) .
-                serialize($_GET) .
-                serialize($_COOKIE) .
-                serialize($GLOBALS) .
-                serialize($_SESSION) .
-                serialize($_OLD_SESSION)
+                phpseclib_safe_serialize($_SERVER) .
+                phpseclib_safe_serialize($_POST) .
+                phpseclib_safe_serialize($_GET) .
+                phpseclib_safe_serialize($_COOKIE) .
+                phpseclib_safe_serialize($GLOBALS) .
+                phpseclib_safe_serialize($_SESSION) .
+                phpseclib_safe_serialize($_OLD_SESSION)
            ));
            if (!isset($_SESSION['count'])) {
                $_SESSION['count'] = 0;
@ -260,6 +260,44 @@ if (!function_exists('crypt_random_string')) {
    }
 }

+if (!function_exists('phpseclib_safe_serialize')) {
+    /**
+     * Safely serialize variables
+     *
+     * If a class has a private __sleep() method it'll give a fatal error on PHP 5.2 and earlier.
+     * PHP 5.3 will emit a warning.
+     *
+     * @param mixed $arr
+     * @param array $refs optional
+     * @access public
+     */
+    function phpseclib_safe_serialize(&$arr)
+    {
+        if (is_object($arr)) {
+            return '';
+        }
+        if (!is_array($arr)) {
+            return serialize($arr);
+        }
+        $safearr = array();
+        $unset = false;
+        if (!isset($arr['__phpseclib_marker'])) {
+            $unset = true;
+            $arr['__phpseclib_marker'] = true;
+        }
+        foreach (array_keys($arr) as $key) {
+            if (is_object($arr[$key]) || $key == '__phpseclib_marker') {
+                continue;
+            }
+            $safearr[$key] = is_array($arr[$key]) ? phpseclib_safe_serialize($arr[$key], $refs) : $arr[$key];
+        }
+        if ($unset) {
+            unset($arr['__phpseclib_marker']);
+        }
+        return serialize($safearr);
+    }
+}
+
 if (!function_exists('phpseclib_resolve_include_path')) {
    /**
     * Resolve filename against the include path.