Merge branch '10.5' into 11.5

sebastianbergmann · sebastianbergmann · commit 72c74a0904fa · 2026-01-26T17:57:56.000+01:00
* 10.5:
  Do not run PHPT test when its temporary file for code coverage information exists
  We do not need to unserialize() objects here
  Extract method
  Fix CS/WS issue
diff --git a/ChangeLog-11.5.md b/ChangeLog-11.5.md
@@ -2,6 +2,12 @@
 
 All notable changes of the PHPUnit 11.5 release series are documented in this file using the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
 
+## [11.5.50] - 2026-MM-DD
+
+### Changed
+
+* To prevent Poisoned Pipeline Execution (PPE) attacks using prepared `.coverage` files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs
+
 ## [11.5.49] - 2026-01-24
 
 ### Fixed
@@ -413,6 +419,7 @@ All notable changes of the PHPUnit 11.5 release series are documented in this fi
 * [#6055](https://github.com/sebastianbergmann/phpunit/issues/6055): `assertNotContainsOnly()` (use `assertContainsNotOnlyArray()`, `assertContainsNotOnlyBool()`, `assertContainsNotOnlyCallable()`, `assertContainsNotOnlyFloat()`, `assertContainsNotOnlyInt()`, `assertContainsNotOnlyIterable()`, `assertContainsNotOnlyNumeric()`, `assertContainsNotOnlyObject()`, `assertContainsNotOnlyResource()`, `assertContainsNotOnlyClosedResource()`, `assertContainsNotOnlyScalar()`, or `assertContainsNotOnlyString()` instead)
 * [#6059](https://github.com/sebastianbergmann/phpunit/issues/6059): `containsOnly()` (use `containsOnlyArray()`, `containsOnlyBool()`, `containsOnlyCallable()`, `containsOnlyFloat()`, `containsOnlyInt()`, `containsOnlyIterable()`, `containsOnlyNumeric()`, `containsOnlyObject()`, `containsOnlyResource()`, `containsOnlyClosedResource()`, `containsOnlyScalar()`, or `containsOnlyString()` instead)
 
+[11.5.50]: https://github.com/sebastianbergmann/phpunit/compare/11.5.49...11.5
 [11.5.49]: https://github.com/sebastianbergmann/phpunit/compare/11.5.48...11.5.49
 [11.5.48]: https://github.com/sebastianbergmann/phpunit/compare/11.5.47...11.5.48
 [11.5.47]: https://github.com/sebastianbergmann/phpunit/compare/11.5.46...11.5.47
diff --git a/src/Runner/Exception/CodeCoverageFileExistsException.php b/src/Runner/Exception/CodeCoverageFileExistsException.php
@@ -0,0 +1,21 @@
+<?php declare(strict_types=1);
+/*
+ * This file is part of PHPUnit.
+ *
+ * (c) Sebastian Bergmann <sebastian@phpunit.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+namespace PHPUnit\Runner;
+
+use RuntimeException;
+
+/**
+ * @no-named-arguments Parameter names are not covered by the backward compatibility promise for PHPUnit
+ *
+ * @internal This class is not covered by the backward compatibility promise for PHPUnit
+ */
+final class CodeCoverageFileExistsException extends RuntimeException implements Exception
+{
+}
diff --git a/src/Runner/PHPT/PhptTestCase.php b/src/Runner/PHPT/PhptTestCase.php
@@ -20,6 +20,7 @@
 use function explode;
 use function extension_loaded;
 use function file;
+use function file_exists;
 use function file_get_contents;
 use function file_put_contents;
 use function is_array;
@@ -34,6 +35,7 @@
 use function preg_split;
 use function realpath;
 use function rtrim;
+use function sprintf;
 use function str_contains;
 use function str_replace;
 use function str_starts_with;
@@ -93,6 +95,8 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
     public function __construct(string $filename)
     {
         $this->filename = $filename;
+
+        $this->ensureCoverageFileDoesNotExist();
     }
 
     /**
@@ -784,7 +788,7 @@ private function cleanupForCoverage(): RawCodeCoverageData
         }
 
         if ($buffer !== false) {
-            $coverage = @unserialize($buffer);
+            $coverage = @unserialize($buffer, ['allowed_class' => false]);
 
             if ($coverage === false) {
                 /**
@@ -986,4 +990,22 @@ private function settings(bool $collectCoverage): array
 
         return $settings;
     }
+
+    /**
+     * @throws CodeCoverageFileExistsException
+     */
+    private function ensureCoverageFileDoesNotExist(): void
+    {
+        $files = $this->coverageFiles();
+
+        if (file_exists($files['coverage'])) {
+            throw new CodeCoverageFileExistsException(
+                sprintf(
+                    'File %s exists, PHPT test %s will not be executed',
+                    $files['coverage'],
+                    $this->filename,
+                ),
+            );
+        }
+    }
 }
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
@@ -0,0 +1,7 @@
+--TEST--
+test
+--FILE--
+<?php declare(strict_types=1);
+print 'test';
+--EXPECT--
+test
diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Error when code coverage file exists
+--FILE--
+<?php declare(strict_types=1);
+$_SERVER['argv'][] = '--do-not-cache-result';
+$_SERVER['argv'][] = '--no-configuration';
+$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
+
+require_once __DIR__ . '/../../bootstrap.php';
+
+(new PHPUnit\TextUI\Application)->run($_SERVER['argv']);
+--EXPECTF--
+PHPUnit %s by Sebastian Bergmann and contributors.
+
+Runtime: %s
+
+There was 1 PHPUnit test runner warning:
+
+1) File %stest.coverage exists, PHPT test %stest.phpt will not be executed
+
+No tests executed!
