From 342240fd7fb6ac0a287eb6f912c4d61d6274d68c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 21 Jun 2014 21:28:33 -0700
Subject: [PATCH] Better fix for bug #67072 with more BC provisions

---
 NEWS                                         |  2 +-
 ext/standard/tests/serialize/bug67072_2.phpt | 84 ++++++++++++++++++++
 ext/standard/var_unserializer.c              | 67 ++++++++--------
 ext/standard/var_unserializer.re             |  3 +-
 4 files changed, 121 insertions(+), 35 deletions(-)
 create mode 100644 ext/standard/tests/serialize/bug67072_2.phpt

diff --git a/NEWS b/NEWS
index 58de645ca9..fce2198a7a 100644
--- a/NEWS
+++ b/NEWS
@@ -18,7 +18,7 @@ PHP                                                                        NEWS
 ?? ??? 2014, PHP 5.5.14
 
 - Core:
-  . Fixed BC break introduced by patch for bug #67072. (Anatol)
+  . Fixed BC break introduced by patch for bug #67072. (Anatol, Stas)
   . Fixed bug #66622 (Closures do not correctly capture the late bound class
     (static::) in some cases). (Levi Morrison)
   . Fixed bug #67390 (insecure temporary file use in the configure script).
diff --git a/ext/standard/tests/serialize/bug67072_2.phpt b/ext/standard/tests/serialize/bug67072_2.phpt
new file mode 100644
index 0000000000..09eadb9ee1
--- /dev/null
+++ b/ext/standard/tests/serialize/bug67072_2.phpt
@@ -0,0 +1,84 @@
+--TEST--
+Bug #67072 Echoing unserialized "SplFileObject" crash - BC break fixes
+--FILE--
+<?php
+class MySplFileObject extends SplFileObject {}
+class MyArrayObject extends ArrayObject{ var $a = 1; }
+echo unserialize('O:15:"MySplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');
+
+function testClass($className) 
+{
+    // simulate phpunit
+    $object = unserialize(sprintf('O:%d:"%s":0:{}', strlen($className), $className));
+    return $object;
+}
+
+class MyClass {}
+class MyClassSer implements Serializable {
+        function serialize() { return "";}
+        function unserialize($data) { }
+}
+class MyClassSer2 extends MyClassSer {
+}
+
+$classes = array('stdClass', 'MyClass', 'MyClassSer', 'MyClassSer2', 'SplFileObject', 'MySplFileObject', 
+                 'SplObjectStorage', 'FooBar', 'Closure', 'ArrayObject', 'MyArrayObject',
+                 'Directory'
+             );
+foreach($classes as $cl) {
+        var_dump(testClass($cl));
+}
+
+?>
+===DONE==
+--EXPECTF--
+Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 4
+
+Notice: unserialize(): Error at offset 26 of 66 bytes in %s on line 4
+object(stdClass)#%d (0) {
+}
+object(MyClass)#%d (0) {
+}
+object(MyClassSer)#%d (0) {
+}
+object(MyClassSer2)#%d (0) {
+}
+
+Warning: Erroneous data format for unserializing 'SplFileObject' in %s on line 9
+
+Notice: unserialize(): Error at offset 24 of 25 bytes in %s on line 9
+bool(false)
+
+Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 9
+
+Notice: unserialize(): Error at offset 26 of 27 bytes in %s on line 9
+bool(false)
+object(SplObjectStorage)#%d (1) {
+  ["storage":"SplObjectStorage":private]=>
+  array(0) {
+  }
+}
+object(__PHP_Incomplete_Class)#%d (1) {
+  ["__PHP_Incomplete_Class_Name"]=>
+  string(6) "FooBar"
+}
+
+Warning: Erroneous data format for unserializing 'Closure' in %s on line 9
+
+Notice: unserialize(): Error at offset 17 of 18 bytes in %s on line 9
+bool(false)
+object(ArrayObject)#%d (1) {
+  ["storage":"ArrayObject":private]=>
+  array(0) {
+  }
+}
+object(MyArrayObject)#1 (2) {
+  ["a"]=>
+  int(1)
+  ["storage":"ArrayObject":private]=>
+  array(0) {
+  }
+}
+object(Directory)#1 (0) {
+}
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 8bec13330c..657051f6f7 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Tue Jun  3 10:23:35 2014 */
+/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -23,6 +23,7 @@
 #include "php.h"
 #include "ext/standard/php_var.h"
 #include "php_incomplete_class.h"
+#include "Zend/zend_interfaces.h"
 
 /* {{{ reference-handling for unserializer: var_* */
 #define VAR_ENTRIES_MAX 1024
@@ -226,7 +227,7 @@ static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen
 #define YYMARKER marker
 
 
-#line 234 "ext/standard/var_unserializer.re"
+#line 235 "ext/standard/var_unserializer.re"
 
 
 
@@ -400,7 +401,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 	Serializable interface have eventually an inconsistent behavior at this place when
 	unserialized from a manipulated string. Additionaly the interal classes can possibly
 	crash PHP so they're still disabled here. */
-	if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
+	if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
 		object_init_ex(*rval, ce);
 	} else {
 		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
@@ -473,7 +474,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	
 
-#line 477 "ext/standard/var_unserializer.c"
+#line 478 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -533,9 +534,9 @@ yy2:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 828 "ext/standard/var_unserializer.re"
+#line 829 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 539 "ext/standard/var_unserializer.c"
+#line 540 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -578,13 +579,13 @@ yy13:
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 822 "ext/standard/var_unserializer.re"
+#line 823 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 588 "ext/standard/var_unserializer.c"
+#line 589 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -614,7 +615,7 @@ yy20:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 676 "ext/standard/var_unserializer.re"
+#line 677 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -760,7 +761,7 @@ yy20:
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 764 "ext/standard/var_unserializer.c"
+#line 765 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -785,7 +786,7 @@ yy27:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 668 "ext/standard/var_unserializer.re"
+#line 669 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
@@ -793,7 +794,7 @@ yy27:
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 797 "ext/standard/var_unserializer.c"
+#line 798 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -814,7 +815,7 @@ yy34:
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 648 "ext/standard/var_unserializer.re"
+#line 649 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -834,7 +835,7 @@ yy34:
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 838 "ext/standard/var_unserializer.c"
+#line 839 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -855,7 +856,7 @@ yy41:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 619 "ext/standard/var_unserializer.re"
+#line 620 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -884,7 +885,7 @@ yy41:
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 888 "ext/standard/var_unserializer.c"
+#line 889 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -905,7 +906,7 @@ yy48:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 591 "ext/standard/var_unserializer.re"
+#line 592 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -933,7 +934,7 @@ yy48:
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 937 "ext/standard/var_unserializer.c"
+#line 938 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -1021,7 +1022,7 @@ yy61:
 	}
 yy63:
 	++YYCURSOR;
-#line 581 "ext/standard/var_unserializer.re"
+#line 582 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -1031,7 +1032,7 @@ use_double:
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1035 "ext/standard/var_unserializer.c"
+#line 1036 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1090,7 +1091,7 @@ yy73:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 566 "ext/standard/var_unserializer.re"
+#line 567 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1105,7 +1106,7 @@ yy73:
 
 	return 1;
 }
-#line 1109 "ext/standard/var_unserializer.c"
+#line 1110 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1132,7 +1133,7 @@ yy79:
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 539 "ext/standard/var_unserializer.re"
+#line 540 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1159,7 +1160,7 @@ yy79:
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1163 "ext/standard/var_unserializer.c"
+#line 1164 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
@@ -1167,24 +1168,24 @@ yy83:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 532 "ext/standard/var_unserializer.re"
+#line 533 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1178 "ext/standard/var_unserializer.c"
+#line 1179 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 525 "ext/standard/var_unserializer.re"
+#line 526 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1188 "ext/standard/var_unserializer.c"
+#line 1189 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1207,7 +1208,7 @@ yy91:
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 502 "ext/standard/var_unserializer.re"
+#line 503 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1230,7 +1231,7 @@ yy91:
 	
 	return 1;
 }
-#line 1234 "ext/standard/var_unserializer.c"
+#line 1235 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1253,7 +1254,7 @@ yy97:
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 481 "ext/standard/var_unserializer.re"
+#line 482 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1274,9 +1275,9 @@ yy97:
 	
 	return 1;
 }
-#line 1278 "ext/standard/var_unserializer.c"
+#line 1279 "ext/standard/var_unserializer.c"
 }
-#line 830 "ext/standard/var_unserializer.re"
+#line 831 "ext/standard/var_unserializer.re"
 
 
 	return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 0ca2e28309..130750805f 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -21,6 +21,7 @@
 #include "php.h"
 #include "ext/standard/php_var.h"
 #include "php_incomplete_class.h"
+#include "Zend/zend_interfaces.h"
 
 /* {{{ reference-handling for unserializer: var_* */
 #define VAR_ENTRIES_MAX 1024
@@ -404,7 +405,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 	Serializable interface have eventually an inconsistent behavior at this place when
 	unserialized from a manipulated string. Additionaly the interal classes can possibly
 	crash PHP so they're still disabled here. */
-	if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) {
+	if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
 		object_init_ex(*rval, ce);
 	} else {
 		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
-- 
2.40.0