Fix bug #81142 by adding zend_string_init_existing_interned()

Add a new interned string handler that fetches an interned string
if it exists, but does not create one if it does not (and

Fix bug #81142 by adding zend_string_init_existing_interned()

Add a new interned string handler that fetches an interned string
if it exists, but does not create one if it does not (and instead
returns a non-interned string).

This fixes bug #81142, by preventing the creating of new interned
strings for unserialized array keys.

Closes GH-7360.

show more ...

Add ZEND_ACC_NOT_SERIALIZABLE flag

This prevents serialization and unserialization of a class and its
children in a way that does not depend on the zend_class_serialize_deny
and zend

Add ZEND_ACC_NOT_SERIALIZABLE flag

This prevents serialization and unserialization of a class and its
children in a way that does not depend on the zend_class_serialize_deny
and zend_class_unserialize_deny handlers that will be going away
in PHP 9 together with the Serializable interface.

In stubs, `@not-serializable` can be used to set this flag.

This patch only uses the new flag for a handful of Zend classes,
converting the remainder is left for later.

Closes GH-7249.
Fixes bug #81111.

show more ...

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |

show more ...

Add ZEND_CLASS_CONST_FLAGS() macro

And drop Z_ACCESS_FLAGS(). We no longer store *only* access flags
in these.

Use Fast Class Cache to speedup object unserialization

Avoid destructor call for LONG keys

Prevent call of var_push_dtor_value() on hot path.

When serialising object properties, they are oftet may override the
default values, however default values are most often scalars, inte

Prevent call of var_push_dtor_value() on hot path.

When serialising object properties, they are oftet may override the
default values, however default values are most often scalars, interned
strings or immutable arrays.

show more ...

unserialize() optimization

Implement enums

RFC: https://wiki.php.net/rfc/enumerations

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Closes GH-6489.

Speed up __sleep() and __wakeup() calls

Revert "Remove class validation. zend_lookup_class_ex() performs it anyway."

This reverts commit 61cf1355fd53b6556f0502510ba3e1efbd04d242.

Class name validation is only performed if

Revert "Remove class validation. zend_lookup_class_ex() performs it anyway."

This reverts commit 61cf1355fd53b6556f0502510ba3e1efbd04d242.

Class name validation is only performed if key is not passed. Here, lc_name is passed as key.

show more ...

Remove class validation. zend_lookup_class_ex() performs it anyway.

Initialize property to UNDEF on unserialize overwrite

The UNDEF marker here is important to prevent the creation of
a reference to the property currently being overwritten, which
wou

Initialize property to UNDEF on unserialize overwrite

The UNDEF marker here is important to prevent the creation of
a reference to the property currently being overwritten, which
would then leak.

This fixes oss-fuzz 6029559193534464, which was incorrectly
merged into oss-fuzz #30584 (which is reported at
https://github.com/google/oss-fuzz/issues/5211).

show more ...

Don't use unmangled name if property not found

This restores the previous behavior for this case. We'll continue
to use the mangled name, even if it does not correspond to a
declared

Don't use unmangled name if property not found

This restores the previous behavior for this case. We'll continue
to use the mangled name, even if it does not correspond to a
declared property.

This also fixes an assertion failure for the case of property
overwrite, as the add_new was not guaranteed to be "new" previously.

Fixes oss-fuzz #31045.

show more ...

unserialize() optimization. Omit class name validation before hash lookup, and perform it only before autoloading.

Improved unserialize() performance. Checks for object propery "visibility change" were moved, to be performed only if name/visibility had been really changed.

Limit unserialization element count more aggressively

This is slightly more aggressive about rejecting obviously incorrect
element counts. Previously the number of elements was allowed t

Limit unserialization element count more aggressively

This is slightly more aggressive about rejecting obviously incorrect
element counts. Previously the number of elements was allowed to
match the number of characters. Now it is the number of characters
divided by two (this can actually be increased further to at least 4).

This doesn't really matter in the grand scheme of things (as it
just cuts maximum memory usage by half), but should fix
oss-fuzz #29356.

show more ...

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool is retained as an alias.

show more ...

Fix another typed resource issue in unserialization

We also need to discard old entries in the ref_props HT when values
are overwritten.

We should really forbid these kinds of o

Fix another typed resource issue in unserialization

We also need to discard old entries in the ref_props HT when values
are overwritten.

We should really forbid these kinds of overwrites. I believe they
can only occur in manually crafted serialization strings, and
cause so many problems...

Fixes oss-fuzz #28257.

show more ...

Fix removal of type source during unserialization

Missed a check for info in this code. Add it, and add an assertion
in type source removal to make it easier to catch this issue.

Fix removal of type source during unserialization

Missed a check for info in this code. Add it, and add an assertion
in type source removal to make it easier to catch this issue.

Fixes oss-fuzz #28208 and #28257.

show more ...

Fix another ref source management bug in unserialize

When we overwrite an existing property during unserialization,
we also have to drop the ref source from it.

Fix unserialization ref source management, again

Handle one case the previous patch did not account for: If
unserialization of data fails, we should still register a ref
source.

Fix unserialization ref source management, again

Handle one case the previous patch did not account for: If
unserialization of data fails, we should still register a ref
source.

Also add an extra test for a reference between two typed properties,
as this used to be handled incorrectly earlier.

show more ...

Fix ref source management during unserialization

Only register the slot for adding ref sources later if we didn't
immediately register one. Also avoids leaking a ref source if
it is

Fix ref source management during unserialization

Only register the slot for adding ref sources later if we didn't
immediately register one. Also avoids leaking a ref source if
it is added early and the assignment fails.

Fixes oss-fuzz #27628.

show more ...

Export and reuse zend_is_valid_class_name API

Unserialization does the same check as zend_lookup_class, so let's
share the same optimized implementation.

Use zend_string when storing incomplete class name

No need to copy the string here...