Fix GH-21682: Add NOT_SERIALIZABLE to ZipArchive, XMLWriter, XMLReader, SNMP, tidy, tidyNode

ext/snmp/snmp.stub.php

@@ -181,6 +181,7 @@ function snmp_get_valueretrieval(): int {}
 
 function snmp_read_mib(string $filename): bool {}
 
+/** @not-serializable */
 class SNMP
 {
     /** @cvalue SNMP_VERSION_1 */

ext/snmp/tests/bug72479.phpt

@@ -10,28 +10,12 @@ require_once(__DIR__.'/skipif.inc');
 <?php
 $arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
 $poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
-$out = unserialize($poc);
-gc_collect_cycles();
-$fakezval = ptr2str(1122334455);
-$fakezval .= ptr2str(0);
-$fakezval .= "\x00\x00\x00\x00";
-$fakezval .= "\x01";
-$fakezval .= "\x00";
-$fakezval .= "\x00\x00";
-for ($i = 0; $i < 5; $i++) {
-    $v[$i] = $fakezval.$i;
-}
-var_dump($out[1]);
-
-function ptr2str($ptr)
-{
-    $out = '';
-    for ($i = 0; $i < 8; $i++) {
-        $out .= chr($ptr & 0xff);
-        $ptr >>= 8;
-    }
-    return $out;
+try {
+    $out = unserialize($poc);
+    var_dump($out);
+} catch (Exception $e) {
+    echo $e->getMessage() . "\n";
 }
 ?>
 --EXPECT--
-int(1)
+Unserialization of 'SNMP' is not allowed

ext/snmp/tests/gh21682.phpt

@@ -0,0 +1,17 @@
+--TEST--
+GH-21682 (SNMP should not be serializable)
+--EXTENSIONS--
+snmp
+--FILE--
+<?php
+$s = new SNMP(SNMP::VERSION_1, "localhost", "public");
+try {
+    serialize($s);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+$s->close();
+?>
+--EXPECT--
+Serialization of 'SNMP' is not allowed

ext/standard/tests/strings/bug72434.phpt

@@ -1,29 +1,17 @@
 --TEST--
 Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
+--EXTENSIONS--
+zip
 --FILE--
 <?php
-// The following array will be serialized and this representation will be freed later on.
 $free_me = array(new StdClass());
-// Create our payload and unserialize it.
 $serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
-$unserialized_payload = unserialize($serialized_payload);
-gc_collect_cycles();
-// The reference counter for $free_me is at -1 for PHP 7 right now.
-// Increment the reference counter by 1 -> rc is 0
-$a = $unserialized_payload[1];
-// Increment the reference counter by 1 again -> rc is 1
-$b = $a;
-// Trigger free of $free_me (referenced by $m[1]).
-unset($b);
-$fill_freed_space_1 = "filler_zval_1";
-$fill_freed_space_2 = "filler_zval_2";
-$fill_freed_space_3 = "filler_zval_3";
-$fill_freed_space_4 = "filler_zval_4";
-debug_zval_dump($unserialized_payload[1]);
-?>
---EXPECTF--
-array(1) refcount(3){
-  [0]=>
-  object(stdClass)#%d (0) refcount(1){
-  }
+try {
+    $unserialized_payload = unserialize($serialized_payload);
+    var_dump($unserialized_payload);
+} catch (Exception $e) {
+    echo $e->getMessage() . "\n";
 }
+?>
+--EXPECT--
+Unserialization of 'ZipArchive' is not allowed

ext/tidy/tests/gh21682.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-21682 (tidy and tidyNode should not be serializable)
+--EXTENSIONS--
+tidy
+--FILE--
+<?php
+$t = new tidy();
+try {
+    serialize($t);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+
+$t->parseString("<html><body>test</body></html>");
+$node = $t->body();
+try {
+    serialize($node);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Serialization of 'tidy' is not allowed
+Serialization of 'tidyNode' is not allowed

ext/tidy/tidy.stub.php

@@ -861,6 +861,7 @@ function tidy_get_head(tidy $tidy): ?tidyNode {}
 
 function tidy_get_body(tidy $tidy): ?tidyNode {}
 
+/** @not-serializable */
 class tidy
 {
     public ?string $errorBuffer = null;
@@ -973,6 +974,7 @@ public function html(): ?tidyNode {}
     public function body(): ?tidyNode {}
 }
 
+/** @not-serializable */
 final class tidyNode
 {
     public readonly string $value;

ext/xmlreader/php_xmlreader.stub.php

@@ -2,6 +2,7 @@
 
 /** @generate-class-entries */
 
+/** @not-serializable */
 class XMLReader
 {
     /* Constants for NodeType - cannot define common types to share with dom as there are differences in these types */

ext/xmlreader/tests/gh21682.phpt

@@ -0,0 +1,16 @@
+--TEST--
+GH-21682 (XMLReader should not be serializable)
+--EXTENSIONS--
+xmlreader
+--FILE--
+<?php
+$r = new XMLReader();
+try {
+    serialize($r);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Serialization of 'XMLReader' is not allowed

ext/xmlwriter/php_xmlwriter.stub.php

@@ -86,6 +86,7 @@ function xmlwriter_output_memory(XMLWriter $writer, bool $flush = true): string
 
 function xmlwriter_flush(XMLWriter $writer, bool $empty = true): string|int {}
 
+/** @not-serializable */
 class XMLWriter
 {
     /**

ext/xmlwriter/tests/gh21682.phpt

@@ -0,0 +1,16 @@
+--TEST--
+GH-21682 (XMLWriter should not be serializable)
+--EXTENSIONS--
+xmlwriter
+--FILE--
+<?php
+$w = new XMLWriter();
+try {
+    serialize($w);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Serialization of 'XMLWriter' is not allowed

ext/zip/php_zip.stub.php

@@ -64,6 +64,7 @@ function zip_entry_filesize($zip_entry): int|false {}
 #[\Deprecated(since: '8.0', message: 'use ZipArchive::statIndex() instead')]
 function zip_entry_compressionmethod($zip_entry): string|false {}
 
+/** @not-serializable */
 class ZipArchive implements Countable
 {
     /**

ext/zip/tests/gh21682.phpt

@@ -0,0 +1,16 @@
+--TEST--
+GH-21682 (ZipArchive is missing the NOT_SERIALIZABLE flag)
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+$a = new ZipArchive();
+try {
+    serialize($a);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Serialization of 'ZipArchive' is not allowed