bug72785.phpt   [plain text]

--TEST--
Bug #72785: allowed_classes only applies to outermost unserialize()
--FILE--
<?php

// Forbidden class
class A {}

$p = 'x:i:0;a:1:{i:0;O:1:"A":0:{}};m:a:0:{}';
$s = 'C:11:"ArrayObject":' . strlen($p) . ':{' . $p . '}';
var_dump(unserialize($s, ['allowed_classes' => ['ArrayObject']]));

?>
--EXPECT--
object(ArrayObject)#1 (1) {
  ["storage":"ArrayObject":private]=>
  array(1) {
    [0]=>
    object(__PHP_Incomplete_Class)#2 (1) {
      ["__PHP_Incomplete_Class_Name"]=>
      string(1) "A"
    }
  }
}