From efe24c0205176d91de7b4c5ea636992866b4a3cc Mon Sep 17 00:00:00 2001
From: Wez Furlong <wez@php.net>
Date: Sat, 10 Sep 2005 17:48:45 +0000
Subject: [PATCH] add __sleep and __wakeup functions to prevent
 serialize/deserialize from being used on PDO objects.  Refs PECL #5217

---
 ext/pdo/pdo_dbh.c                | 18 ++++++++++++++++++
 ext/pdo/pdo_stmt.c               | 17 +++++++++++++++++
 ext/pdo/tests/pecl_bug_5217.phpt | 28 ++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 ext/pdo/tests/pecl_bug_5217.phpt

diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c
index 1130bb1b4a..c03de78e2c 100755
--- a/ext/pdo/pdo_dbh.c
+++ b/ext/pdo/pdo_dbh.c
@@ -960,6 +960,22 @@ static PHP_METHOD(PDO, quote)
 }
 /* }}} */
 
+/* {{{ proto int PDO::__wakeup()
+   Prevents use of a PDO instance that has been unserialized */
+static PHP_METHOD(PDO, __wakeup)
+{
+	zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDO instances");
+}
+/* }}} */
+
+/* {{{ proto int PDO::__sleep()
+   Prevents serialization of a PDO instance */
+static PHP_METHOD(PDO, __sleep)
+{
+	zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDO instances");
+}
+/* }}} */
+
 
 function_entry pdo_dbh_functions[] = {
 	PHP_ME_MAPPING(__construct, dbh_constructor,	NULL)
@@ -975,6 +991,8 @@ function_entry pdo_dbh_functions[] = {
 	PHP_ME(PDO, errorInfo,		NULL,					ZEND_ACC_PUBLIC)
 	PHP_ME(PDO, getAttribute,	NULL,					ZEND_ACC_PUBLIC)
 	PHP_ME(PDO, quote,			NULL,					ZEND_ACC_PUBLIC)
+	PHP_ME(PDO, __wakeup,		NULL,					ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
+	PHP_ME(PDO, __sleep,		NULL,					ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
 	{NULL, NULL, NULL}
 };
 
diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
index 6201790dfd..16bb1e6ee4 100755
--- a/ext/pdo/pdo_stmt.c
+++ b/ext/pdo/pdo_stmt.c
@@ -1859,6 +1859,21 @@ static PHP_METHOD(PDOStatement, debugDumpParams)
 }
 /* }}} */
 
+/* {{{ proto int PDOStatement::__wakeup()
+   Prevents use of a PDOStatement instance that has been unserialized */
+static PHP_METHOD(PDOStatement, __wakeup)
+{
+	zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDOStatement instances");
+}
+/* }}} */
+
+/* {{{ proto int PDOStatement::__sleep()
+   Prevents serialization of a PDOStatement instance */
+static PHP_METHOD(PDOStatement, __sleep)
+{
+	zend_throw_exception_ex(php_pdo_get_exception(), 0 TSRMLS_CC, "You cannot serialize or unserialize PDOStatement instances");
+}
+/* }}} */
 
 function_entry pdo_dbstmt_functions[] = {
 	PHP_ME(PDOStatement, execute,		NULL,					ZEND_ACC_PUBLIC)
@@ -1880,6 +1895,8 @@ function_entry pdo_dbstmt_functions[] = {
 	PHP_ME(PDOStatement, nextRowset,	NULL,					ZEND_ACC_PUBLIC)
 	PHP_ME(PDOStatement, closeCursor,	NULL,					ZEND_ACC_PUBLIC)
 	PHP_ME(PDOStatement, debugDumpParams, NULL,					ZEND_ACC_PUBLIC)
+	PHP_ME(PDOStatement, __wakeup,		NULL,					ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
+	PHP_ME(PDOStatement, __sleep,		NULL,					ZEND_ACC_PUBLIC|ZEND_ACC_FINAL)
 	{NULL, NULL, NULL}
 };
 
diff --git a/ext/pdo/tests/pecl_bug_5217.phpt b/ext/pdo/tests/pecl_bug_5217.phpt
new file mode 100644
index 0000000000..75df91956f
--- /dev/null
+++ b/ext/pdo/tests/pecl_bug_5217.phpt
@@ -0,0 +1,28 @@
+--TEST--
+PDO Common: PECL Bug #5217: serialize/unserialze safety
+--SKIPIF--
+<?php # vim:ft=php
+if (!extension_loaded('pdo')) die('skip');
+$dir = getenv('REDIR_TEST_DIR');
+if (false == $dir) die('skip no driver');
+require_once $dir . 'pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
+$db = PDOTest::factory();
+try {
+	$ser = serialize($db);
+	debug_zval_dump($ser);
+	$db = unserialize($ser);
+	$db->exec('CREATE TABLE test (id int NOT NULL PRIMARY KEY, val VARCHAR(10))');
+} catch (Exception $e) {
+	echo "Safely caught " . $e->getMessage() . "\n";
+}
+
+echo "PHP Didn't crash!\n";
+?>
+--EXPECT--
+Safely caught You cannot serialize or unserialize PDO instances
+PHP Didn't crash!
-- 
2.50.1