Mantis - Quercus
For instance this call crashes Quercus:
unserialize('s:20:"a string";');
Note the small attachment to this report for a slightly more detailed understanding.
Please note that the problem doesn't seem to be limited to plain strings only but also to arrays as well as strings nested in them.
At the moment as a workaround the fully-compatible "correct" behaviour can be emulated by coding like this:
$unserialized_result=unserialize($string); // version that may crash
=> has to become:
$unserialized_result=null;
try
{
$unserialized_result=unserialize($string);
}
catch (Exception $e)
{
$unserialized_result=false;
}
However, this is obviously not a preferred long-term approach.
I'd like to point out that the problem is more than just academic. One of the latest versions of Drupal "installs" such invalid serialized strings in the database, perhaps due to some misconceptions about character encodings (i.e. when an UTF-8-encoded string gets serialized using a different encoding, strings lengths may differ later on). In any case I recommend fixing the issue.
I'd also like to mention again that I recently reported another issue in connection with serialize()/unserialize() (0003307) that you might want to solve right away in the course of anyways touching serialize() and unserialize().
unserialize_bug_demo.php [^] (346 bytes) 02-09-09 01:12