PHP String and Binary Data

'S' Typed Strings

libphpserialize supports serializing str and bytes into 'S' typed string that php supports for unserializing.
The following examples demonstrate how it can be used:

from phpserialize import serialize, S

print(serialize(S('string')))
print(serialize(S(b'bytes')))
print(serialize(S(range(256))))

print(serialize(S('test', 'e')))
print(serialize(S('test', lambda x: x == 0x65)))
print(serialize(S('test', encode_all=True)))
print(serialize(S(b'\xff', format='02X')))

Output:

S:6:"string";
S:5:"bytes";
S:256:"\00\01\02\03\04\05\06\07\08


\0e\0f\10\11\12\13\14\15\16\17\18\19\1a\1b\1c\1d\1e\1f !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\5c]^_`abcdefghijklmnopqrstuvwxyz{|}~\7f\80\81\82\83\84\85\86\87\88\89\8a\8b\8c\8d\8e\8f\90\91\92\93\94\95\96\97\98\99\9a\9b\9c\9d\9e\9f\a0\a1\a2\a3\a4\a5\a6\a7\a8\a9\aa\ab\ac\ad\ae\af\b0\b1\b2\b3\b4\b5\b6\b7\b8\b9\ba\bb\bc\bd\be\bf\c0\c1\c2\c3\c4\c5\c6\c7\c8\c9\ca\cb\cc\cd\ce\cf\d0\d1\d2\d3\d4\d5\d6\d7\d8\d9\da\db\dc\dd\de\df\e0\e1\e2\e3\e4\e5\e6\e7\e8\e9\ea\eb\ec\ed\ee\ef\f0\f1\f2\f3\f4\f5\f6\f7\f8\f9\fa\fb\fc\fd\fe\ff";
S:4:"t\65st";
S:4:"t\65st";
S:4:"\74\65\73\74";
S:1:"\FF";

by default S encodes only non-printable characters.

Under these circumstances one could use this type for serializing data:

• passing binary data as php string;
• bypassing wafs that take effect before unserializing happens.
• etc.

Storing binary data directly into python str could be problematic. You could use this instead.

see ext/standard/var_unserializer.re:unserialize_str(). it's first introduced around php 5.1 and 5.2 (https://github.com/php/php-src/commit/8f5310af). Documentation for this feature could not be found anywhere, so I'm not sure what it should be called