Use serialize_deny for CURLFile

nikic · nikic · commit a624c2bd13c8 · 2018-11-26T13:20:51.000+01:00
Instead of a throwing __wakeup() method.
diff --git a/UPGRADING b/UPGRADING
@@ -19,6 +19,10 @@ PHP 7.4 UPGRADE NOTES
 1. Backward Incompatible Changes
 ========================================
 
+- Curl:
+  . Attempting to serialize a CURLFile class will now generate an exception.
+    Previously the exception was only thrown on unserialization.
+
 - Date:
   . Calling var_dump() or similar on a DateTime(Immutable) instance will no
     longer leave behind accessible properties on the object.
diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c
@@ -22,6 +22,7 @@
 
 #include "php.h"
 #include "Zend/zend_exceptions.h"
+#include "Zend/zend_interfaces.h"
 #include "php_curl.h"
 #if HAVE_CURL
 
@@ -130,16 +131,6 @@ ZEND_METHOD(CURLFile, setPostFilename)
 }
 /* }}} */
 
-/* {{{ proto CURLFile::__wakeup()
-   Unserialization handler */
-ZEND_METHOD(CURLFile, __wakeup)
-{
-	zend_unset_property(curl_CURLFile_class, ZEND_THIS, "name", sizeof("name")-1);
-	zend_update_property_string(curl_CURLFile_class, ZEND_THIS, "name", sizeof("name")-1, "");
-	zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0);
-}
-/* }}} */
-
 ZEND_BEGIN_ARG_INFO_EX(arginfo_curlfile_create, 0, 0, 1)
 	ZEND_ARG_INFO(0, filename)
 	ZEND_ARG_INFO(0, mimetype)
@@ -158,7 +149,6 @@ static const zend_function_entry curlfile_funcs[] = {
 	PHP_ME(CURLFile,			setMimeType,        arginfo_curlfile_name, ZEND_ACC_PUBLIC)
 	PHP_ME(CURLFile,			getPostFilename,    NULL, ZEND_ACC_PUBLIC)
 	PHP_ME(CURLFile,			setPostFilename,    arginfo_curlfile_name, ZEND_ACC_PUBLIC)
-	PHP_ME(CURLFile,            __wakeup,           NULL, ZEND_ACC_PUBLIC)
 	PHP_FE_END
 };
 
@@ -167,6 +157,8 @@ void curlfile_register_class(void)
 	zend_class_entry ce;
 	INIT_CLASS_ENTRY( ce, "CURLFile", curlfile_funcs );
 	curl_CURLFile_class = zend_register_internal_class(&ce);
+	curl_CURLFile_class->serialize = zend_class_serialize_deny;
+	curl_CURLFile_class->unserialize = zend_class_unserialize_deny;
 	zend_declare_property_string(curl_CURLFile_class, "name", sizeof("name")-1, "", ZEND_ACC_PUBLIC);
 	zend_declare_property_string(curl_CURLFile_class, "mime", sizeof("mime")-1, "", ZEND_ACC_PUBLIC);
 	zend_declare_property_string(curl_CURLFile_class, "postname", sizeof("postname")-1, "", ZEND_ACC_PUBLIC);
diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt
@@ -11,10 +11,13 @@ if (!extension_loaded("curl")) {
 
 $poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
 try {
-var_dump(unserialize($poc));
+    var_dump(unserialize($poc));
 } catch(Exception $e) {
-	echo $e->getMessage();
+    echo $e->getMessage();
 }
 ?>
---EXPECT--
-Unserialization of CURLFile instances is not allowed
+--EXPECTF--
+Warning: Erroneous data format for unserializing 'CURLFile' in %s on line %d
+
+Notice: unserialize(): Error at offset 27 of 44 bytes in %s on line %d
+bool(false)
diff --git a/ext/curl/tests/curl_file_serialize.phpt b/ext/curl/tests/curl_file_serialize.phpt
@@ -8,13 +8,12 @@ if (!extension_loaded("curl")) {
 ?>
 --FILE--
 <?php
-$data = 'a:2:{s:4:"file";O:8:"CURLFile":3:{s:4:"name";s:13:"testdata1.txt";s:4:"mime";s:0:"";s:8:"postname";s:0:"";}s:4:"data";s:3:"foo";}';
-var_dump(unserialize($data));
+$file = new CURLFile(__DIR__ . '/curl_testdata1.txt');
+var_dump(serialize($file));
 ?>
 --EXPECTF--
-Fatal error: Uncaught Exception: Unserialization of CURLFile instances is not allowed in %s
+Fatal error: Uncaught Exception: Serialization of 'CURLFile' is not allowed in %s:%d
 Stack trace:
-#0 [internal function]: CURLFile->__wakeup()
-#1 %s
-#2 {main}
+#0 %s(%d): serialize(Object(CURLFile))
+#1 {main}
   thrown in %s on line %d
