Shulou(Shulou.com)05/31 Report--

How to understand thinkphp5.1.37 deserialization, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Paper will sleep shallow, never know the matter want to practice. There are already a lot of analytical articles on the Internet, but I still decided to write about the process of analysis and utilization according to my own understanding, so as to simplify the complexity and make it look easier to understand and reduce the difficulty of understanding.

Download address:

Application project: https://github.com/top-think/think

Core framework: https://github.com/top-think/framework

Change framework to thinkphp and put it in the thinkphp5.1.37 folder so that the whole framework is built.

The files involved in the deserialization chain:

Start file-> thinkphp\ library\ think\ process\ pipes\ Windows.php

Thinkphp\ library\ think\ model\ concern\ Conversion.php

Thinkphp\ library\ think\ model\ concern\ Attribute.php

Thinkphp\ library\ think\ model\ concern\ RelationShip.php

Thinkphp\ library\ think\ Model.php

Thinkphp\ library\ think\ Pivot.php

Destination file-> thinkphp\ library\ think\ Request.php

Do you think there are a lot of files and a big head? let's simplify it.

Start file-> thinkphp\ library\ think\ process\ pipes\ Windows.php

Thinkphp\ library\ think\ Pivot.php

Destination file-> thinkphp\ library\ think\ Request.php

Why do you write this way? because Conversion, Attribute and RelationShip are trait classes, their code can be reused, and the model class reuses the code of these three files, so we can regard these four files as a file, but the model class files are abstract (abstract) classes that cannot be used directly, and the pivot class inherits the model class, so the pivot file is equivalent to a set of these four files. It fits. So we only need to focus on the three files Windows.php, Pivot.php, and Request.php.

The methods involved:

_ _ destruct () method, removeFiles () under Windows.php

_ _ toString () method, toJson () method, toArray () method under Conversion.php

GetRelation () method under RelationShip.php

GetAttr () method and getData () method under Attribute.php

_ _ call () method, isAjax () method, param () method, input () method, filterValue () method under Request.php

The method under Conversion.php, RelationShip.php and Attribute.php can be understood as the method of Pivot.php.

We divide this utilization link into three small targets:

1. Use Windows class to activate _ _ toString () magic method.

2. Using Pivot. Class activation _ _ call () magic method

3. Use Request class to implement code execution.

The utilization chain is as follows:

_ _ destruct ()-> removeFiles ()-> _ toString ()-> toJson ()-> toArray ()-> getRelation ()-> getAttr ()-> getData ()-> _ call ()-> isAjax ()-> param ()-> input ()-> filterValue ()

Code analysis:

Windows object in the deserialization operation will execute the destructor _ _ destruct (), and then called the removeFiles method will determine whether $this- > files exists in the removeFiles method to delete, so there is any file deletion, as long as we generate the windowsdu object $this- > file assignment to the path of a file, then the file will be deleted when deserialization.

Public function _ _ destruct () {$this- > close (); $this- > removeFiles ();} private function removeFiles () {foreach ($this- > files as $filename) {if (file_exists ($filename)) {@ unlink ($filename);} $this- > files = [];}

Poc delete any file:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.