From 7cbbc66da933997bd2b5151f513eb1daed1b1208 Mon Sep 17 00:00:00 2001
From: Crys <1208344+huncrys@users.noreply.github.com>
Date: Wed, 12 Mar 2025 16:35:27 +0100
Subject: [PATCH] Prevent circumvention via specially crafted serialized string

According to upstream sources a sign (`+`, `-`) is accepted before the length:
https://github.com/php/php-src/blob/PHP-5.4.45/ext/standard/var_unserializer.re#L260-L266

So it is possible to circumvent the polyfill by manually adding it, i.e.:

`O:9:"Exception"` vs `O:+9:"Exception"`
---
 src/DisallowedClassesSubstitutor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/DisallowedClassesSubstitutor.php b/src/DisallowedClassesSubstitutor.php
index 9740d1a..eeac7cb 100644
--- a/src/DisallowedClassesSubstitutor.php
+++ b/src/DisallowedClassesSubstitutor.php
@@ -10,7 +10,7 @@
 final class DisallowedClassesSubstitutor
 {
     const PATTERN_STRING = '#s:(\d+):(")#';
-    const PATTERN_OBJECT = '#(^|;)O:\d+:"([^"]*)":(\d+):\{#';
+    const PATTERN_OBJECT = '#(^|;)O:[+-]?\d+:"([^"]*)":(\d+):\{#';
 
     /**
      * @var string