PHP手册中从5.5升级到5.6 unserialize函数怎么解释

Question

PHP手册中从5.5升级到5.6 unserialize的变更是这样写的：

• unserialize() will now fail if passed serialised data that has been manipulated to attempt to instantiate an object without calling its constructor.

英文比较差想知道是什么意思，传入的数据是序列化过的没有调用过constructor的对象？

我度过这样的代码，但没报错：

class A{

}

$reClass = new ReflectionClass('A');

$b = $reClass->newInstanceWithoutConstructor();

echo '<pre>';
print_r(unserialize(serialize($reClass)));
die;

Answer 1

这个问题其实是和序列化接口相关的一个修改。

5.6的更新日志里有写

5.6.0 Manipulating the serialised data by replacing C: with O: to force object instantiation without calling the constructor will now fail.

大意就是说，5.6不允许将修改已经序列化数据中的C:改为O:来避免调用类中生成器。

我们写一个类来了解这是什么意思，首先我们在PHP5.3中实现一个继承序列化接口的类

class obj implements Serializable {
    public $data;
    public function __construct() {
        $this->data = "My private data";
    }
    public function serialize() {
        return serialize($this->data);
    }
    public function unserialize($data) {
        echo 'test';
    }
}
  
$test = new obj();
echo serialize($test);//输出C:3:"obj":23:{s:15:"My private data";}

var_dump(unserialize('C:3:"obj":23:{s:15:"My private data";}'));//调用unserialize方法，输出test
var_dump(unserialize('O:3:"obj":1:{s:4:"data";s:15:"My private data";}'));//没有调用unserialize方法，没有输出

接下来我们在5.6中实验相同的代码

class obj implements Serializable {
    public $data;
    public function __construct() {
        $this->data = "My private data";
    }
    public function serialize() {
        return serialize($this->data);
    }
    public function unserialize($data) {
        echo 'test';
    }
}

$test = new obj();
echo serialize($test);//输出C:3:"obj":23:{s:15:"My private data";}

var_dump(unserialize('C:3:"obj":23:{s:15:"My private data";}'));//调用unserialize方法，输出test
var_dump(unserialize('O:3:"obj":1:{s:4:"data";s:15:"My private data";}'));//抛出了一个Warning,PHP Warning:  Erroneous data format for unserializing 'obj' 

所以其实这个更新的意思就是说，不能靠修改序列化的数据，在不调用对象构造器的情况下实例化对象