diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2018-11-26 13:20:51 +0100 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2018-11-26 13:20:51 +0100 |
| commit | a624c2bd13c89891e99f2052b42c0816cc18341c (patch) | |
| tree | 13a769dc7fef3a4c2f30c44a4ea61252b28e9f31 | |
| parent | 43417953f4a781a92f42c9941a2742814d43415d (diff) | |
| download | php-git-a624c2bd13c89891e99f2052b42c0816cc18341c.tar.gz | |
Use serialize_deny for CURLFile
Instead of a throwing __wakeup() method.
| -rw-r--r-- | UPGRADING | 4 | ||||
| -rw-r--r-- | ext/curl/curl_file.c | 14 | ||||
| -rw-r--r-- | ext/curl/tests/bug73147.phpt | 11 | ||||
| -rw-r--r-- | ext/curl/tests/curl_file_serialize.phpt | 11 |
4 files changed, 19 insertions, 21 deletions
@@ -19,6 +19,10 @@ PHP 7.4 UPGRADE NOTES 1. Backward Incompatible Changes ======================================== +- Curl: + . Attempting to serialize a CURLFile class will now generate an exception. + Previously the exception was only thrown on unserialization. + - Date: . Calling var_dump() or similar on a DateTime(Immutable) instance will no longer leave behind accessible properties on the object. diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c index b48ae9ef3a..fb815ec080 100644 --- a/ext/curl/curl_file.c +++ b/ext/curl/curl_file.c @@ -22,6 +22,7 @@ #include "php.h" #include "Zend/zend_exceptions.h" +#include "Zend/zend_interfaces.h" #include "php_curl.h" #if HAVE_CURL @@ -130,16 +131,6 @@ ZEND_METHOD(CURLFile, setPostFilename) } /* }}} */ -/* {{{ proto CURLFile::__wakeup() - Unserialization handler */ -ZEND_METHOD(CURLFile, __wakeup) -{ - zend_unset_property(curl_CURLFile_class, ZEND_THIS, "name", sizeof("name")-1); - zend_update_property_string(curl_CURLFile_class, ZEND_THIS, "name", sizeof("name")-1, ""); - zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0); -} -/* }}} */ - ZEND_BEGIN_ARG_INFO_EX(arginfo_curlfile_create, 0, 0, 1) ZEND_ARG_INFO(0, filename) ZEND_ARG_INFO(0, mimetype) @@ -158,7 +149,6 @@ static const zend_function_entry curlfile_funcs[] = { PHP_ME(CURLFile, setMimeType, arginfo_curlfile_name, ZEND_ACC_PUBLIC) PHP_ME(CURLFile, getPostFilename, NULL, ZEND_ACC_PUBLIC) PHP_ME(CURLFile, setPostFilename, arginfo_curlfile_name, ZEND_ACC_PUBLIC) - PHP_ME(CURLFile, __wakeup, NULL, ZEND_ACC_PUBLIC) PHP_FE_END }; @@ -167,6 +157,8 @@ void curlfile_register_class(void) zend_class_entry ce; INIT_CLASS_ENTRY( ce, "CURLFile", curlfile_funcs ); curl_CURLFile_class = zend_register_internal_class(&ce); + curl_CURLFile_class->serialize = zend_class_serialize_deny; + curl_CURLFile_class->unserialize = zend_class_unserialize_deny; zend_declare_property_string(curl_CURLFile_class, "name", sizeof("name")-1, "", ZEND_ACC_PUBLIC); zend_declare_property_string(curl_CURLFile_class, "mime", sizeof("mime")-1, "", ZEND_ACC_PUBLIC); zend_declare_property_string(curl_CURLFile_class, "postname", sizeof("postname")-1, "", ZEND_ACC_PUBLIC); diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt index 118177d871..0c86269151 100644 --- a/ext/curl/tests/bug73147.phpt +++ b/ext/curl/tests/bug73147.phpt @@ -11,10 +11,13 @@ if (!extension_loaded("curl")) { $poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}'; try { -var_dump(unserialize($poc)); + var_dump(unserialize($poc)); } catch(Exception $e) { - echo $e->getMessage(); + echo $e->getMessage(); } ?> ---EXPECT-- -Unserialization of CURLFile instances is not allowed +--EXPECTF-- +Warning: Erroneous data format for unserializing 'CURLFile' in %s on line %d + +Notice: unserialize(): Error at offset 27 of 44 bytes in %s on line %d +bool(false) diff --git a/ext/curl/tests/curl_file_serialize.phpt b/ext/curl/tests/curl_file_serialize.phpt index e2f2d14fff..7748272b76 100644 --- a/ext/curl/tests/curl_file_serialize.phpt +++ b/ext/curl/tests/curl_file_serialize.phpt @@ -8,13 +8,12 @@ if (!extension_loaded("curl")) { ?> --FILE-- <?php -$data = 'a:2:{s:4:"file";O:8:"CURLFile":3:{s:4:"name";s:13:"testdata1.txt";s:4:"mime";s:0:"";s:8:"postname";s:0:"";}s:4:"data";s:3:"foo";}'; -var_dump(unserialize($data)); +$file = new CURLFile(__DIR__ . '/curl_testdata1.txt'); +var_dump(serialize($file)); ?> --EXPECTF-- -Fatal error: Uncaught Exception: Unserialization of CURLFile instances is not allowed in %s +Fatal error: Uncaught Exception: Serialization of 'CURLFile' is not allowed in %s:%d Stack trace: -#0 [internal function]: CURLFile->__wakeup() -#1 %s -#2 {main} +#0 %s(%d): serialize(Object(CURLFile)) +#1 {main} thrown in %s on line %d |