Not serializable flag permeation

Author: krakjoe

Zend/tests/weakrefs/weakrefs_002.phpt

@@ -12,8 +12,12 @@ try {
 
 $wrs = 'O:13:"WeakReference":0:{}';
 
-var_dump(@unserialize($wrs));
+try {
+	var_dump(unserialize($wrs));
+} catch (Exception $ex) {
+    var_dump($ex->getMessage());
+}
 ?>
 --EXPECT--
 string(47) "Serialization of 'WeakReference' is not allowed"
-bool(false)
+string(49) "Unserialization of 'WeakReference' is not allowed"

Zend/zend_weakrefs.c

@@ -604,8 +604,6 @@ void zend_register_weakref_ce(void) /* {{{ */
 	zend_ce_weakref = register_class_WeakReference();
 
 	zend_ce_weakref->create_object = zend_weakref_new;
-	zend_ce_weakref->serialize = zend_class_serialize_deny;
-	zend_ce_weakref->unserialize = zend_class_unserialize_deny;
 
 	memcpy(&zend_weakref_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
 	zend_weakref_handlers.offset = XtOffsetOf(zend_weakref, std);
@@ -617,8 +615,6 @@ void zend_register_weakref_ce(void) /* {{{ */
 
 	zend_ce_weakmap->create_object = zend_weakmap_create_object;
 	zend_ce_weakmap->get_iterator = zend_weakmap_get_iterator;
-	zend_ce_weakmap->serialize = zend_class_serialize_deny;
-	zend_ce_weakmap->unserialize = zend_class_unserialize_deny;
 
 	memcpy(&zend_weakmap_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
 	zend_weakmap_handlers.offset = XtOffsetOf(zend_weakmap, std);

Zend/zend_weakrefs.stub.php

@@ -2,7 +2,10 @@
 
 /** @generate-class-entries */
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class WeakReference
 {
     public function __construct() {}
@@ -12,7 +15,10 @@ public static function create(object $object): WeakReference {}
     public function get(): ?object {}
 }
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class WeakMap implements ArrayAccess, Countable, IteratorAggregate
 {
     /** @param object $object */

Zend/zend_weakrefs_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: c849da0cac9ed05fedacf10ef57449a4596b3c07 */
+ * Stub hash: d91889851d9732d41e43fffddb6235d033c67534 */
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_class_WeakReference___construct, 0, 0, 0)
 ZEND_END_ARG_INFO()
@@ -70,7 +70,7 @@ static zend_class_entry *register_class_WeakReference(void)
 
 	INIT_CLASS_ENTRY(ce, "WeakReference", class_WeakReference_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
-	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES|ZEND_ACC_NOT_SERIALIZABLE;
 
 	return class_entry;
 }
@@ -81,7 +81,7 @@ static zend_class_entry *register_class_WeakMap(zend_class_entry *class_entry_Ar
 
 	INIT_CLASS_ENTRY(ce, "WeakMap", class_WeakMap_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
-	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES|ZEND_ACC_NOT_SERIALIZABLE;
 	zend_class_implements(class_entry, 3, class_entry_ArrayAccess, class_entry_Countable, class_entry_IteratorAggregate);
 
 	return class_entry;

ext/com_dotnet/com_extension.c

@@ -174,21 +174,15 @@ PHP_MINIT_FUNCTION(com_dotnet)
 	php_com_variant_class_entry = register_class_variant();
 	php_com_variant_class_entry->create_object = php_com_object_new;
 	php_com_variant_class_entry->get_iterator = php_com_iter_get;
-	php_com_variant_class_entry->serialize = zend_class_serialize_deny;
-	php_com_variant_class_entry->unserialize = zend_class_unserialize_deny;
 
 	tmp = register_class_com(php_com_variant_class_entry);
 	tmp->create_object = php_com_object_new;
 	tmp->get_iterator = php_com_iter_get;
-	tmp->serialize = zend_class_serialize_deny;
-	tmp->unserialize = zend_class_unserialize_deny;
 
 #if HAVE_MSCOREE_H
 	tmp = register_class_dotnet(php_com_variant_class_entry);
 	tmp->create_object = php_com_object_new;
 	tmp->get_iterator = php_com_iter_get;
-	tmp->serialize = zend_class_serialize_deny;
-	tmp->unserialize = zend_class_unserialize_deny;
 #endif
 
 	REGISTER_INI_ENTRIES();

ext/com_dotnet/com_extension.stub.php

@@ -66,6 +66,9 @@ function com_message_pump(int $timeout_milliseconds  = 0): bool {}
 
 function com_load_typelib(string $typelib, bool $case_insensitive = true): bool {}
 
+/**
+ * @not-serializable
+ */
 class variant
 {
     public function __construct(mixed $value = null, int $type = VT_EMPTY, int $codepage = CP_ACP) {}

ext/com_dotnet/com_extension_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: ba77cee0a718bcbe7ac280f07a41f9e97a8e2246 */
+ * Stub hash: a2e260364d3f1f0e632b43be1a61294b21eed937 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_variant_set, 0, 2, IS_VOID, 0)
 	ZEND_ARG_OBJ_INFO(0, variant, variant, 0)
@@ -243,6 +243,7 @@ static zend_class_entry *register_class_variant(void)
 
 	INIT_CLASS_ENTRY(ce, "variant", class_variant_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
+	class_entry->ce_flags |= ZEND_ACC_NOT_SERIALIZABLE;
 
 	return class_entry;
 }

ext/com_dotnet/tests/bug77177.phpt

@@ -26,7 +26,11 @@ foreach ($strings as $string) {
 
 $strings = ['O:3:"com":0:{}', 'O:6:"dotnet":0:{}', 'O:7:"variant":0:{}'];
 foreach ($strings as $string) {
-    var_dump(unserialize($string));
+    try {
+        unserialize($string);
+    } catch (Exception $ex) {
+        echo "Exception: {$ex->getMessage()}\n";
+    }
 }
 ?>
 --EXPECTF--
@@ -36,18 +40,6 @@ Exception: Serialization of 'variant' is not allowed
 Exception: Unserialization of 'com' is not allowed
 Exception: Unserialization of 'dotnet' is not allowed
 Exception: Unserialization of 'variant' is not allowed
-
-Warning: Erroneous data format for unserializing 'com' in %s on line %d
-
-Notice: unserialize(): Error at offset 13 of 14 bytes in %s on line %d
-bool(false)
-
-Warning: Erroneous data format for unserializing 'dotnet' in %s on line %d
-
-Notice: unserialize(): Error at offset 16 of 17 bytes in %s on line %d
-bool(false)
-
-Warning: Erroneous data format for unserializing 'variant' in %s on line %d
-
-Notice: unserialize(): Error at offset 17 of 18 bytes in %s on line %d
-bool(false)
+Exception: Unserialization of 'com' is not allowed
+Exception: Unserialization of 'dotnet' is not allowed
+Exception: Unserialization of 'variant' is not allowed

ext/curl/curl.stub.php

@@ -2,17 +2,26 @@
 
 /** @generate-class-entries */
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class CurlHandle
 {
 }
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class CurlMultiHandle
 {
 }
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class CurlShareHandle
 {
 }

ext/curl/curl_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 0b574385806ffec3ad96c1b584778cb53bd42535 */
+ * Stub hash: c667191d35c8822b6e1f38ddd1e2743e78d4c3c0 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_curl_close, 0, 1, IS_VOID, 0)
 	ZEND_ARG_OBJ_INFO(0, handle, CurlHandle, 0)
@@ -224,7 +224,7 @@ static zend_class_entry *register_class_CurlHandle(void)
 
 	INIT_CLASS_ENTRY(ce, "CurlHandle", class_CurlHandle_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
-	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES|ZEND_ACC_NOT_SERIALIZABLE;
 
 	return class_entry;
 }
@@ -235,7 +235,7 @@ static zend_class_entry *register_class_CurlMultiHandle(void)
 
 	INIT_CLASS_ENTRY(ce, "CurlMultiHandle", class_CurlMultiHandle_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
-	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES|ZEND_ACC_NOT_SERIALIZABLE;
 
 	return class_entry;
 }
@@ -246,7 +246,7 @@ static zend_class_entry *register_class_CurlShareHandle(void)
 
 	INIT_CLASS_ENTRY(ce, "CurlShareHandle", class_CurlShareHandle_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
-	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+	class_entry->ce_flags |= ZEND_ACC_FINAL|ZEND_ACC_NO_DYNAMIC_PROPERTIES|ZEND_ACC_NOT_SERIALIZABLE;
 
 	return class_entry;
 }

ext/curl/curl_file.c

@@ -20,7 +20,6 @@
 
 #include "php.h"
 #include "Zend/zend_exceptions.h"
-#include "Zend/zend_interfaces.h"
 #include "curl_private.h"
 #include "curl_file_arginfo.h"
 
@@ -147,8 +146,6 @@ ZEND_METHOD(CURLStringFile, __construct)
 void curlfile_register_class(void)
 {
 	curl_CURLFile_class = register_class_CURLFile();
-	curl_CURLFile_class->serialize = zend_class_serialize_deny;
-	curl_CURLFile_class->unserialize = zend_class_unserialize_deny;
 
 	curl_CURLStringFile_class = register_class_CURLStringFile();
 }

ext/curl/curl_file.stub.php

@@ -2,6 +2,9 @@
 
 /** @generate-class-entries */
 
+/**
+ * @not-serializable
+ */
 class CURLFile
 {
     public string $name = "";

ext/curl/curl_file_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 6cc8d65814e0a45d71cdf765533e85353e749051 */
+ * Stub hash: 63d47eac83ee088e8b4c0d1aa469de9ae066146a */
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_class_CURLFile___construct, 0, 0, 1)
 	ZEND_ARG_TYPE_INFO(0, filename, IS_STRING, 0)
@@ -60,6 +60,7 @@ static zend_class_entry *register_class_CURLFile(void)
 
 	INIT_CLASS_ENTRY(ce, "CURLFile", class_CURLFile_methods);
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
+	class_entry->ce_flags |= ZEND_ACC_NOT_SERIALIZABLE;
 
 	zval property_name_default_value;
 	ZVAL_EMPTY_STRING(&property_name_default_value);

ext/curl/interface.c

@@ -21,7 +21,6 @@
 #endif
 
 #include "php.h"
-#include "Zend/zend_interfaces.h"
 #include "Zend/zend_exceptions.h"
 
 #include <stdio.h>
@@ -1189,8 +1188,6 @@ PHP_MINIT_FUNCTION(curl)
 
 	curl_ce = register_class_CurlHandle();
 	curl_ce->create_object = curl_create_object;
-	curl_ce->serialize = zend_class_serialize_deny;
-	curl_ce->unserialize = zend_class_unserialize_deny;
 
 	memcpy(&curl_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
 	curl_object_handlers.offset = XtOffsetOf(php_curl, std);

ext/curl/multi.c

@@ -21,7 +21,6 @@
 #endif
 
 #include "php.h"
-#include "Zend/zend_interfaces.h"
 #include "Zend/zend_smart_str.h"
 
 #include "curl_private.h"
@@ -582,8 +581,6 @@ static HashTable *curl_multi_get_gc(zend_object *object, zval **table, int *n)
 
 void curl_multi_register_handlers(void) {
 	curl_multi_ce->create_object = curl_multi_create_object;
-	curl_multi_ce->serialize = zend_class_serialize_deny;
-	curl_multi_ce->unserialize = zend_class_unserialize_deny;
 
 	memcpy(&curl_multi_handlers, &std_object_handlers, sizeof(zend_object_handlers));
 	curl_multi_handlers.offset = XtOffsetOf(php_curlm, std);

ext/curl/share.c

@@ -21,7 +21,6 @@
 #endif
 
 #include "php.h"
-#include "Zend/zend_interfaces.h"
 
 #include "curl_private.h"
 
@@ -164,8 +163,6 @@ void curl_share_free_obj(zend_object *object)
 
 void curl_share_register_handlers(void) {
 	curl_share_ce->create_object = curl_share_create_object;
-	curl_share_ce->serialize = &zend_class_serialize_deny;
-	curl_share_ce->unserialize = &zend_class_unserialize_deny;
 
 	memcpy(&curl_share_handlers, &std_object_handlers, sizeof(zend_object_handlers));
 	curl_share_handlers.offset = XtOffsetOf(php_curlsh, std);

ext/curl/tests/bug73147.phpt

@@ -4,16 +4,12 @@ Bug #73147: Use After Free in PHP7 unserialize()
 curl
 --FILE--
 <?php
-
 $poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
 try {
     var_dump(unserialize($poc));
 } catch(Exception $e) {
     echo $e->getMessage();
 }
 ?>
---EXPECTF--
-Warning: Erroneous data format for unserializing 'CURLFile' in %s on line %d
-
-Notice: unserialize(): Error at offset 27 of 44 bytes in %s on line %d
-bool(false)
+--EXPECT--
+Unserialization of 'CURLFile' is not allowed

ext/enchant/enchant.c

@@ -22,7 +22,6 @@
 #include "php.h"
 #include "php_ini.h"
 #include "ext/standard/info.h"
-#include "Zend/zend_interfaces.h"
 #include "Zend/zend_exceptions.h"
 #include "../spl/spl_exceptions.h"
 #include <enchant.h>
@@ -188,8 +187,6 @@ PHP_MINIT_FUNCTION(enchant)
 {
 	enchant_broker_ce = register_class_EnchantBroker();
 	enchant_broker_ce->create_object = enchant_broker_create_object;
-	enchant_broker_ce->serialize = zend_class_serialize_deny;
-	enchant_broker_ce->unserialize = zend_class_unserialize_deny;
 
 	memcpy(&enchant_broker_handlers, &std_object_handlers, sizeof(zend_object_handlers));
 	enchant_broker_handlers.offset = XtOffsetOf(enchant_broker, std);
@@ -199,8 +196,6 @@ PHP_MINIT_FUNCTION(enchant)
 
 	enchant_dict_ce = register_class_EnchantDictionary();
 	enchant_dict_ce->create_object = enchant_dict_create_object;
-	enchant_dict_ce->serialize = zend_class_serialize_deny;
-	enchant_dict_ce->unserialize = zend_class_unserialize_deny;
 
 	memcpy(&enchant_dict_handlers, &std_object_handlers, sizeof(zend_object_handlers));
 	enchant_dict_handlers.offset = XtOffsetOf(enchant_dict, std);

ext/enchant/enchant.stub.php

@@ -2,12 +2,18 @@
 
 /** @generate-class-entries */
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class EnchantBroker
 {
 }
 
-/** @strict-properties */
+/**
+ * @strict-properties
+ * @not-serializable
+ */
 final class EnchantDictionary
 {
 }