Zend: Implement __unserialize() for Exception/Error

Author: Girgias

Zend/tests/serialize/bug70121.phpt

@@ -8,6 +8,7 @@ OK
 --EXPECTF--
 Fatal error: Uncaught TypeError: Cannot assign stdClass to property Exception::$previous of type ?Throwable in %s:%d
 Stack trace:
-#0 %s(%d): unserialize('O:12:"DateInter...')
-#1 {main}
+#0 [internal function]: Exception->__unserialize(Array)
+#1 %s(%d): unserialize('O:12:"DateInter...')
+#2 {main}
   thrown in %s on line %d

Zend/zend_exceptions.c

@@ -396,6 +396,95 @@ ZEND_METHOD(Exception, __wakeup)
 }
 /* }}} */
 
+ZEND_METHOD(Exception, __unserialize)
+{
+	HashTable *ht;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "h", &ht) == FAILURE) {
+		RETURN_THROWS();
+	}
+
+	/* Fake strict_types as zend_update_property_ex() would coerce values compared to unserialize() */
+	EG(current_execute_data)->func->common.fn_flags |= ZEND_ACC_STRICT_TYPES;
+
+	zend_string *key = NULL;
+	zval *tmp;
+	ZEND_HASH_FOREACH_STR_KEY_VAL(ht, key, tmp) {
+		if (UNEXPECTED(key == NULL)) {
+			zend_throw_error(NULL, "Must have a string key");
+			RETURN_THROWS();
+		}
+		if (ZSTR_VAL(key)[0] == '\0') {
+			if (zend_string_equals_literal(key, "\0*\0message")) {
+				if (Z_TYPE_P(tmp) != IS_STRING) {
+					zend_type_error("Cannot assign %s to property %s::$message of type string",
+						zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+					RETURN_THROWS();
+				}
+				zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_MESSAGE_OFF, ZSTR_KNOWN(ZEND_STR_MESSAGE), tmp);
+				zval_add_ref(tmp);
+				if (UNEXPECTED(EG(exception))) {
+					RETURN_THROWS();
+				}
+				continue;
+			}
+			if (zend_string_equals_literal(key, "\0*\0code")) {
+				if (Z_TYPE_P(tmp) != IS_LONG) {
+					zend_type_error("Cannot assign %s to property %s::$code of type int",
+						zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+					RETURN_THROWS();
+				}
+				zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_CODE_OFF, ZSTR_KNOWN(ZEND_STR_CODE), tmp);
+				if (UNEXPECTED(EG(exception))) {
+					RETURN_THROWS();
+				}
+				continue;
+			}
+			if (zend_string_equals_literal(key, "\0Exception\0previous") || zend_string_equals_literal(key, "\0Error\0previous")) {
+				if (Z_TYPE_P(tmp) != IS_NULL && !instanceof_function(Z_OBJCE_P(tmp), zend_ce_throwable)) {
+					zend_type_error("Cannot assign %s to property %s::$previous of type ?Throwable",
+						zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+					RETURN_THROWS();
+				}
+				zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_PREVIOUS_OFF, ZSTR_KNOWN(ZEND_STR_PREVIOUS), tmp);
+				zval_add_ref(tmp);
+				if (UNEXPECTED(EG(exception))) {
+					RETURN_THROWS();
+				}
+				continue;
+			}
+			if (zend_string_equals_literal(key, "\0Exception\0trace") || zend_string_equals_literal(key, "\0Error\0trace")) {
+				if (Z_TYPE_P(tmp) != IS_ARRAY) {
+					zend_type_error("Cannot assign %s to property %s::$trace of type array",
+						zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+					RETURN_THROWS();
+				}
+				zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_TRACE_OFF, ZSTR_KNOWN(ZEND_STR_TRACE), tmp);
+				zval_add_ref(tmp);
+				if (UNEXPECTED(EG(exception))) {
+					RETURN_THROWS();
+				}
+				continue;
+			}
+			if (zend_string_starts_with_cstr(key, ZEND_STRL("\0*\0"))) {
+				const char *name = ZSTR_VAL(key) + sizeof("\0*\0")-1;
+				zend_update_property(NULL, Z_OBJ_P(ZEND_THIS), name, strlen(name), tmp);
+				if (UNEXPECTED(EG(exception))) {
+					RETURN_THROWS();
+				}
+				continue;
+			}
+			// TODO: other private props?
+		} else {
+			zend_update_property_ex(NULL, Z_OBJ_P(ZEND_THIS), key, tmp);
+			if (UNEXPECTED(EG(exception))) {
+				RETURN_THROWS();
+			}
+		}
+	} ZEND_HASH_FOREACH_END();
+}
+/* }}} */
+
 /* {{{ ErrorException constructor */
 ZEND_METHOD(ErrorException, __construct)
 {

Zend/zend_exceptions.stub.php

@@ -47,6 +47,8 @@ public function __construct(string $message = "", int $code = 0, ?Throwable $pre
     /** @tentative-return-type */
     public function __wakeup(): void {}
 
+    public function __unserialize(array $data): void {}
+
     final public function getMessage(): string {}
 
     /** @return int */
@@ -111,6 +113,11 @@ public function __construct(string $message = "", int $code = 0, ?Throwable $pre
      */
     public function __wakeup(): void {}
 
+    /**
+     * @implementation-alias Exception::__unserialize
+     */
+    public function __unserialize(array $data): void {}
+
     /** @implementation-alias Exception::getMessage */
     final public function getMessage(): string {}
 

Zend/zend_exceptions_arginfo.h

@@ -13,6 +13,7 @@ echo unserialize($data);
 --EXPECTF--
 Fatal error: Uncaught TypeError: Cannot assign %s to property SoapFault::$faultcode of type ?string in %s:%d
 Stack trace:
-#0 %sbug73452.php(4): unserialize('O:9:"SoapFault"...')
-#1 {main}
+#0 [internal function]: Exception->__unserialize(Array)
+#1 %s(4): unserialize('O:9:"SoapFault"...')
+#2 {main}
   thrown in %s on line %d

ext/soap/tests/bugs/bug73452.phpt

@@ -2,15 +2,25 @@
 Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
 --FILE--
 <?php
-$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
-echo $x;
-$x =  unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
-$x->test();
+try {
+	$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
+	var_dump($x);
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+try {
+	$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
+	var_dump($x);
+	$x->test();
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 
 ?>
---EXPECTF--
-Fatal error: Uncaught TypeError: Cannot assign string to property Exception::$trace of type array in %s:%d
-Stack trace:
-#0 %s(%d): unserialize('O:9:"exception"...')
-#1 {main}
-  thrown in %s on line %d
+--EXPECT--
+TypeError: Cannot assign string to property Exception::$trace of type array
+object(__PHP_Incomplete_Class)#1 (1) {
+  ["__PHP_Incomplete_Class_Name"]=>
+  *RECURSION*
+}
+Error: The script tried to call a method on an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide an autoloader to load the class definition

ext/standard/tests/serialize/bug69152.phpt

@@ -2,13 +2,13 @@
 Bug #69793: Remotely triggerable stack exhaustion via recursive method calls
 --FILE--
 <?php
-$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:0:"";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}');
-
-var_dump($e."");
+try {
+	$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:0:"";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}');
+	var_dump($e);
+	var_dump($e."");
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 ?>
---EXPECTF--
-Fatal error: Uncaught TypeError: Cannot assign int to property Exception::$previous of type ?Throwable in %s:%d
-Stack trace:
-#0 %s(%d): unserialize('O:9:"Exception"...')
-#1 {main}
-  thrown in %s on line %d
+--EXPECT--
+TypeError: Cannot assign null to property Exception::$message of type string

ext/standard/tests/serialize/bug69793.phpt

@@ -2,12 +2,19 @@
 Bug #70963 (Unserialize shows UNKNOW in result)
 --FILE--
 <?php
-var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;R:3;}'));
-var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;r:3;}'));
+try {
+	var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;R:3;}'));
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+try {
+	var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;r:3;}'));
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 ?>
 --EXPECTF--
-Fatal error: Uncaught TypeError: Cannot assign string to property Exception::$trace of type array in %s:%d
-Stack trace:
-#0 %s(%d): unserialize('a:2:{i:0;O:9:"e...')
-#1 {main}
-  thrown in %s on line %d
+TypeError: Cannot assign string to property Exception::$trace of type array
+
+Warning: unserialize(): Error at offset 72 of 73 bytes in %s on line %d
+TypeError: Cannot assign string to property Exception::$trace of type array

ext/standard/tests/serialize/bug70963.phpt

@@ -37,7 +37,7 @@ string(183) "Class [ <internal:Core> class stdClass ] {
 }
 
 "
-string(2232) "Class [ <internal:Core> class Exception implements Stringable, Throwable ] {
+string(2406) "Class [ <internal:Core> class Exception implements Stringable, Throwable ] {
 
   - Constants [0] {
   }
@@ -58,7 +58,7 @@ string(2232) "Class [ <internal:Core> class Exception implements Stringable, Thr
     Property [ private ?Throwable $previous = NULL ]
   }
 
-  - Methods [11] {
+  - Methods [12] {
     Method [ <internal:Core> private method __clone ] {
 
       - Parameters [0] {
@@ -82,6 +82,14 @@ string(2232) "Class [ <internal:Core> class Exception implements Stringable, Thr
       - Tentative return [ void ]
     }
 
+    Method [ <internal:Core> public method __unserialize ] {
+
+      - Parameters [1] {
+        Parameter #0 [ <required> array $data ]
+      }
+      - Return [ void ]
+    }
+
     Method [ <internal:Core, prototype Throwable> final public method getMessage ] {
 
       - Parameters [0] {