ErrorException: unserialize(): /phpunit/Util/PHP/AbstractPhpProcess.php:247 - processIsolation="true" / print HTML / exit()

[dertin]

Hi, I share my test.

Versions:

PHP 7.2.1-dev (cli) (built: Jan 24 2018 21:14:42) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.2.1-dev, Copyright (c) 1999-2017, by Zend Technologies

PHPUnit 7.1.2 by Sebastian Bergmann and contributors.  ==> composer

phpunit.xml - processIsolation="true"

<phpunit bootstrap="bootstrap.php"
colors="true"
processIsolation="true"
verbose="true">
  <testsuites>
    <testsuite name="AllTests">
      <directory>./tests</directory>
    </testsuite>
  </testsuites>
</phpunit>

Test code:

public function testPrint()
    {
       try {
            ob_start();
            htmlPrint();
            $htmlIndex = ob_get_clean(); // HTML code
            
           // Fail if errors HTML
            if ($htmlIndex != strip_tags($htmlIndex)) {
                  $this->assertTrue(true, 'OK');
            } else {
                  $this->fail('Not HTML');
            }
        } catch (\Exception $e) {
            $this->fail('Exception: '.$e->getMessage());
        }
    }

Code that I want to test:
I notice that if you have a exit() statement in the code that print the html this cause an error.

    private function generateHTMLOutput()
    {
        echo '<!DOCTYPE html><html lang="es" dir="ltr" itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta charset="UTF-8"><title>Test</title></head><body><div class="wrapper"><p>Hello</p></div></body></html>';
        exit(); // CAUSE THE ERROR
    }

    public function htmlPrint()
    {
        $this->generateHTMLOutput();
    }

ERROR:

There was 1 error:

1) Particle\Apps\Test\TestingControllerTest::testPrint
PHPUnit\Framework\Exception: <!DOCTYPE html><html lang="es" dir="ltr" itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta charset="UTF-8"><title>Test</title></head><body><div class="wrapper"><p>Hello</p></div></body></html>

Caused by
ErrorException: unserialize(): Error at offset 0 of 213 bytes in phar:///usr/local/bin/phpunit/phpunit/Util/PHP/AbstractPhpProcess.php:247
Stack trace:
#0 [internal function]: PHPUnit\Util\PHP\AbstractPhpProcess->PHPUnit\Util\PHP\{closure}(8, 'unserialize(): ...', 'phar:///usr/loc...', 247, Array)
#1 phar:///usr/local/bin/phpunit/phpunit/Util/PHP/AbstractPhpProcess.php(247): unserialize('<!DOCTYPE html>...')
#2 phar:///usr/local/bin/phpunit/phpunit/Util/PHP/AbstractPhpProcess.php(171): PHPUnit\Util\PHP\AbstractPhpProcess->processChildResult(Object(Particle\Apps\Test\TestingControllerTest), Object(PHPUnit\Framework\TestResult), '<!DOCTYPE html>...', '')
#3 phar:///usr/local/bin/phpunit/phpunit/Framework/TestCase.php(803): PHPUnit\Util\PHP\AbstractPhpProcess->runTestJob('<?php\nuse PHPUn...', Object(Particle\Apps\Test\TestingControllerTest), Object(PHPUnit\Framework\TestResult))
#4 phar:///usr/local/bin/phpunit/phpunit/Framework/TestSuite.php(776): PHPUnit\Framework\TestCase->run(Object(PHPUnit\Framework\TestResult))
#5 phar:///usr/local/bin/phpunit/phpunit/Framework/TestSuite.php(776): PHPUnit\Framework\TestSuite->run(Object(PHPUnit\Framework\TestResult))
#6 phar:///usr/local/bin/phpunit/phpunit/TextUI/TestRunner.php(566): PHPUnit\Framework\TestSuite->run(Object(PHPUnit\Framework\TestResult))
#7 phar:///usr/local/bin/phpunit/phpunit/TextUI/Command.php(203): PHPUnit\TextUI\TestRunner->doRun(Object(PHPUnit\Framework\TestSuite), Array, true)
#8 phar:///usr/local/bin/phpunit/phpunit/TextUI/Command.php(156): PHPUnit\TextUI\Command->run(Array, true)
#9 /usr/local/bin/phpunit(589): PHPUnit\TextUI\Command::main()
#10 {main}
ERRORS!

[stale]

This issue has been automatically marked as stale because it has not had activity within the last 60 days. It will be closed after 7 days if no further activity occurs. Thank you for your contributions.

[keradus]

@Stale, go away pls

error happen to multiple ppl, this is not first report, we have all the details now. having crash of unserializing into abstract class is not nice for sure

[dertin]

@keradus I do not understand why it is not safe.

You mean this: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/
It could be injected into the HTML code that I'm trying to validate, i.e some PHP object.
How can I do it safely?

[keradus]

sorry, i don't got your msg. what is not safe? i didn't said that anything here is safe or not,
I simply confirmed this as bug, so stale bot would not close the issue

[dertin]

Hi @keradus
Maybe I got it wrong I thought it refers to the following:

-> Check the line where it crash:
https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/AbstractPhpProcess.php#L249

The security is enough? or the second parameter must be applied to the unserialize() function:

- $childResult = \unserialize(\str_replace("#!/usr/bin/env php\n", '', $stdout));
+ $childResult = \unserialize(\str_replace("#!/usr/bin/env php\n", '', $stdout), ['allowed_classes' => ["\PHPUnit\Framework\TestResult", ...] ]);

[keradus]

sorry, but i don't see how the crash error log is related to unserialize with or without allowed_classes.
if you know it is (and simply only I don't see it), please raise a PR with test case of discovered bug and your proposal of fixing it. thanks !

[stale]

This issue has been automatically marked as stale because it has not had activity within the last 60 days. It will be closed after 7 days if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity since it was marked as stale. Thank you for your contributions.