From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 26 Oct 2020 15:54:30 +0000 (+0100)
Subject: Deny serialization of finfo objects
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6d3695a217c8a3a295fc723a8bd079db05984b70;p=php

Deny serialization of finfo objects

The resulting objects were already unusable, make it error out
earlier.
---

diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c
index 3e05913ec2..add971b6d6 100644
--- a/ext/fileinfo/fileinfo.c
+++ b/ext/fileinfo/fileinfo.c
@@ -35,6 +35,7 @@
 #include "fileinfo_arginfo.h"
 #include "fopen_wrappers.h" /* needed for is_url */
 #include "Zend/zend_exceptions.h"
+#include "Zend/zend_interfaces.h"
 
 /* {{{ macros and type definitions */
 typedef struct _php_fileinfo {
@@ -132,8 +133,10 @@ PHP_MINIT_FUNCTION(finfo)
 {
 	zend_class_entry _finfo_class_entry;
 	INIT_CLASS_ENTRY(_finfo_class_entry, "finfo", class_finfo_methods);
-	_finfo_class_entry.create_object = finfo_objects_new;
 	finfo_class_entry = zend_register_internal_class(&_finfo_class_entry);
+	finfo_class_entry->create_object = finfo_objects_new;
+	finfo_class_entry->serialize = zend_class_serialize_deny;
+	finfo_class_entry->unserialize = zend_class_unserialize_deny;
 
 	/* copy the standard object handlers to you handler table */
 	memcpy(&finfo_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
diff --git a/ext/fileinfo/tests/clone_serialize.phpt b/ext/fileinfo/tests/clone_serialize.phpt
index dec16a485e..a249819796 100644
--- a/ext/fileinfo/tests/clone_serialize.phpt
+++ b/ext/fileinfo/tests/clone_serialize.phpt
@@ -14,7 +14,7 @@ try {
 try {
     $finfo3 = unserialize(serialize($finfo));
     var_dump($finfo3->buffer("Test string"));
-} catch (Error $e) {
+} catch (Exception $e) {
     echo $e->getMessage(), "\n";
 }
 
@@ -22,4 +22,4 @@ try {
 --EXPECTF--
 string(%d) "%s"
 Trying to clone an uncloneable object of class finfo
-Invalid finfo object
+Serialization of 'finfo' is not allowed