from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called).

I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.

[1] https://en.wikipedia.org/wiki/Object_resurrection

there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.

Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?

That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.

I think PHP has in the past explicitly stated its not a security feature.

There have been a few issues over the years with this.

Anyway - good OS security is required anytime you run software!

heres one from 6 years ago https://bugs.php.net/bug.php?id=76047