prevent users from instantiating internal classes from data because it sets arbitrary properties before calling the constructor which can have weird consequences

Author: mattdinthehouse

ext/reflection/php_reflection.c

@@ -5140,6 +5140,11 @@ ZEND_METHOD(ReflectionClass, newInstanceFromData)
 
 	GET_REFLECTION_OBJECT_PTR(ce);
 
+	if (ce->type == ZEND_INTERNAL_CLASS) {
+		zend_throw_exception_ex(reflection_exception_ptr, 0, "Class %s is an internal class that cannot be instantiated from data", ZSTR_VAL(ce->name));
+		RETURN_THROWS();
+	}
+
 	ZEND_PARSE_PARAMETERS_START(1, 2)
 		Z_PARAM_ARRAY_HT(data)
 		Z_PARAM_OPTIONAL

ext/reflection/tests/ReflectionClass_newInstanceFromData_002.phpt

@@ -0,0 +1,30 @@
+--TEST--
+ReflectionClass::newInstanceFromData - internal class
+--FILE--
+<?php
+
+$rcDateTime = new ReflectionClass('DateTime');
+$rcPDOStatement = new ReflectionClass('PDOStatement');
+
+try
+{
+    $rcDateTime->newInstanceFromData([], ['now', new DateTimeZone('UTC')]);
+}
+catch(Throwable $e)
+{
+    echo "Exception: " . $e->getMessage() . "\n";
+}
+
+try
+{
+    $rcPDOStatement->newInstanceFromData(['a' => 123]);
+}
+catch(Throwable $e)
+{
+    echo "Exception: " . $e->getMessage() . "\n";
+}
+
+?>
+--EXPECTF--
+Exception: Class DateTime is an internal class that cannot be instantiated from data
+Exception: Class PDOStatement is an internal class that cannot be instantiated from data