Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"PHP Warning: Class __PHP_Incomplete_Class has no unserializer" when a class that was serialized with a custom handler no longer exists #18128

Open
MatmaRex opened this issue Mar 21, 2025 · 4 comments
Open

"PHP Warning: Class __PHP_Incomplete_Class has no unserializer" when a class that was serialized with a custom handler no longer exists #18128

MatmaRex opened this issue Mar 21, 2025 · 4 comments
Labels
Bug Extension: standard Status: Needs Feedback

Comments

@MatmaRex
Copy link
Contributor

Description

A warning "PHP Warning: Class __PHP_Incomplete_Class has no unserializer" is emitted when a class that was serialized with a custom handler (instanceof Serializable / 'C' format) no longer exists.

This is unexpected to me, because the real problem is that the class does not exist at all, not that it has no unserializer. There's no warning for that though, the user is expected to check for instances of __PHP_Incomplete_Class.

The following code:

<?php
unserialize('C:3:"obj":23:{s:15:"My private data";}');

Resulted in this output:

PHP Warning:  Class __PHP_Incomplete_Class has no unserializer in php shell code on line 1

But I expected this output instead:

(no warnings)

PHP Version

PHP 8.3.6

Operating System

No response
@DanielEScherzer
Copy link
Contributor

Cross link https://phabricator.wikimedia.org/T388725
Reproducible with https://3v4l.org/T7MVF

@DanielEScherzer
Copy link
Contributor

We could remove the warning for just the incomplete class case:
At

php-src/ext/standard/var_unserializer.re

Lines 773 to 775 in 8622362

if (ce->unserialize == NULL) {
zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
object_init_ex(rval, ce); 

774c774,777
< 		zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
---
> 		// Skip warning when the class was not found and __PHP_Incomplete_Class is used
> 		if (ce != PHP_IC_ENTRY) {
> 			zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
> 		}

but I'm not sure if this can target 8.3+ or master, does it count as a bug fix? The error is correct, its just unexpected

@iluuu1994
Copy link
Member

iluuu1994 commented Mar 21, 2025
edited
Loading

Well, just suppressing the warning might not be a great idea. The data originally returned by serialize() is inaccessible.

Warning: Class __PHP_Incomplete_Class has no unserializer in php-wasm run script on line 3
object(__PHP_Incomplete_Class)#1 (1) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(3) "obj"
}

Optimally, we'd store it as a property. But then again, Serializable has been deprecated since 8.1, so maybe it's best to just keep it this way until it is removed in 9.0.

@iluuu1994
Copy link
Member

If you would like to see this fixed, I think this warrants a discussion on the mailing list. I don't think there's a convincing reason to fix this now, given serialize() is on its last leg, and this has been very long standing behavior (https://3v4l.org/T7MVF, since 5.1).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: standard Status: Needs Feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MatmaRex @iluuu1994 @DanielEScherzer