Merge pull request #196 from mcdruid/public_attributes

PublicProperties enhancement

Author: cfreal

lib/PHPGGC.php

@@ -174,6 +174,8 @@ public function setup_enhancements()
             $enhancements[] = new Enhancement\Wrapper($this->parameters['wrapper']);
         if(in_array('fast-destruct', $this->options))
             $enhancements[] = new Enhancement\FastDestruct();
+        if(in_array('public-properties', $this->options))
+            $enhancements[] = new Enhancement\PublicProperties();
         if(in_array('ascii-strings', $this->options))
             $enhancements[] = new Enhancement\ASCIIStrings(false);
         if(in_array('armor-strings', $this->options))
@@ -598,6 +600,11 @@ protected function help()
         $this->o('     This is experimental and it might not work in some cases.');
         $this->o('     Note: Since strings grow by a factor of 3 using this option, the payload can get');
         $this->o('     really long.');
+        $this->o('  --public-properties');
+        $this->o('     Attempts to convert references to protected or private properties within the serialized');
+        $this->o('     payload to public. The resulting payload should contain no null bytes and may be a little');
+        $this->o('     shorter.');
+        $this->o('     This is experimental and it might not work in some cases.');
         $this->o('  -n, --plus-numbers <types>');
         $this->o('     Adds a + symbol in front of every number symbol of the given type.');
         $this->o('     For instance, -n iO adds a + in front of every int and object name size:');
@@ -679,6 +686,7 @@ function _parse_cmdline_arg(&$i, &$argv, &$parameters, &$options)
             'session-encode' => false,
             # Enhancements
             'fast-destruct' => false,
+            'public-properties' => false,
             'ascii-strings' => false,
             'armor-strings' => false,
             'plus-numbers' => true,
@@ -702,6 +710,7 @@ function _parse_cmdline_arg(&$i, &$argv, &$parameters, &$options)
             'phar-jpeg' => 'pj',
             'phar-prefix' => 'pp',
             'phar-filename' => 'pf',
+            'public-properties' => 'pub',
             'new' => 'N',
             'ascii-strings' => 'a',
             'armor-strings' => 'A',

lib/PHPGGC/Enhancement/PublicProperties.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace PHPGGC\Enhancement;
+
+/**
+* Public Properties
+* Attempts to convert references to protected or private properties within the
+* serialized payload to public.
+*
+* This can be useful because when PHP serializes a non-public property of an
+* object it prepends the property name with an asterisk (for protected) or the
+* class name (for private) surrounded by null bytes, which are easy to lose if
+* the payload is transmitted or stored as plain text without encoding. If that
+* happens, the payload will fail to unserialize because the string length of the
+* property name (and the name itself) will be incorrect.
+*
+* As an added bonus, payloads are slightly smaller without the prefixes.
+*
+* Converting properties to public tends to work in more recent PHP versions but
+* can cause problems in older versions (before PHP 7.2).
+*
+* This functionality may not work properly if a chain includes one or more
+* objects that have a custom serialize / unserialize implementation.
+*/
+class PublicProperties extends Enhancement
+{
+
+    /**
+     * Post process step of the public-properties technique: removes prefixes
+     * denoting protected or private properties, converting them to public.
+     */
+    public function process_serialized($serialized)
+    {
+        return preg_replace_callback('/\bs:(\d+):"\x00([\w\\\]+|\*)\x00/', [$this, 'remove_prefix'], $serialized);
+    }
+
+    public function remove_prefix($matches)
+    {
+        $length = $matches[1];
+        $reduction = strlen($matches[2]) + 2; // prefix + 2 null bytes
+        return 's:' . ($length - $reduction) . ':"';
+    }
+}