Deny (un)serialization of SQLite3, SQLite3Stmt and SQLite3Result

Serializing `SQLite3`, `SQLite3Stmt` and `SQLite3Result` instances is
possible but pointless, since unserializing results in uninitialized
instances, which will bail out of any method call.  Therefore, we deny
serialization and unserialization in the first place.

diff --git a/NEWS b/NEWS
index fe919e7f698fd37640af7240f0b32cf80d89e0ae..1795b052dc2ad3e43562feb9c20355fcb5abaaf9 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,7 @@ PHP                                                                        NEWS
 - SQLite3:
   . Unbundled libsqlite. (cmb)
   . Lifted requirements to SQLite 3.5.0. (cmb)
+  . Forbid (un)serialization of SQLite3, SQLite3Stmt and SQLite3Result. (cmb)
   . Added support for the SQLite @name notation. (cmb, BohwaZ)
 
 - Standard:

diff --git a/UPGRADING b/UPGRADING
index 5c6c303ce7c5a448bf60f321b22d03a4c8293585..9016b4a1d36c7ef3973c69b587fb8ff42df2bdba 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -137,6 +137,9 @@ PHP 7.4 UPGRADE NOTES
 - SQLite3:
   . The bundled libsqlite has been removed.  To build the SQLite3 and/or
     PDO_SQLite extensions a system libsqlite3 ≥ 3.5.0 is now required.
+  . (Un)serialization of SQLite3, SQLite3Stmt and SQLite3Result is now explictly
+    forbidden. Formerly, serialization of instances of these classes was
+    possible, but unserialization yielded unusable objects.
   . The @param notation can now also be used to denote SQL query parameters.
 
 - Zip:

diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index a347b34ceeca3a62097ff36ce3caeb98e4fc6cff..0933ff3c2acecf510eabec88c67adac875b3a541 100644 (file)
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -2283,6 +2283,8 @@ PHP_MINIT_FUNCTION(sqlite3)
        sqlite3_object_handlers.clone_obj = NULL;
        sqlite3_object_handlers.free_obj = php_sqlite3_object_free_storage;
        php_sqlite3_sc_entry = zend_register_internal_class(&ce);
+       php_sqlite3_sc_entry->serialize = zend_class_serialize_deny;
+       php_sqlite3_sc_entry->unserialize = zend_class_unserialize_deny;
 
        /* Register SQLite 3 Prepared Statement Class */
        INIT_CLASS_ENTRY(ce, "SQLite3Stmt", php_sqlite3_stmt_class_methods);
@@ -2291,6 +2293,8 @@ PHP_MINIT_FUNCTION(sqlite3)
        sqlite3_stmt_object_handlers.clone_obj = NULL;
        sqlite3_stmt_object_handlers.free_obj = php_sqlite3_stmt_object_free_storage;
        php_sqlite3_stmt_entry = zend_register_internal_class(&ce);
+       php_sqlite3_stmt_entry->serialize = zend_class_serialize_deny;
+       php_sqlite3_stmt_entry->unserialize = zend_class_unserialize_deny;
 
        /* Register SQLite 3 Result Class */
        INIT_CLASS_ENTRY(ce, "SQLite3Result", php_sqlite3_result_class_methods);
@@ -2299,6 +2303,8 @@ PHP_MINIT_FUNCTION(sqlite3)
        sqlite3_result_object_handlers.clone_obj = NULL;
        sqlite3_result_object_handlers.free_obj = php_sqlite3_result_object_free_storage;
        php_sqlite3_result_entry = zend_register_internal_class(&ce);
+       php_sqlite3_result_entry->serialize = zend_class_serialize_deny;
+       php_sqlite3_result_entry->unserialize = zend_class_unserialize_deny;
 
        REGISTER_INI_ENTRIES();