Skip to content

Fix GH-13970: Incorrect validation of #[\Attribute]’s first parameter #13976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Fix GH-13970: Incorrect validation of #[\Attribute]’s first parameter #13976

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions Zend/zend_ast.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -769,12 +769,6 @@ static zend_result ZEND_FASTCALL zend_ast_evaluate_ex(zval *result, zend_ast *as
break;
case ZEND_AST_CONST_ENUM_INIT:
{
// Preloading will attempt to resolve constants but objects can't be stored in shm
// Aborting here to store the const AST instead
if (CG(in_compilation)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May this should be replaced by if (CG(compiler_options) & ZEND_COMPILE_PRELOAD) {?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replacing this with CG(in_compilation) && (CG(compiler_options) & ZEND_COMPILE_PRELOAD) fixes the issue when not in preloading, but the issue still remains when in preloading.

return FAILURE;
}

zend_ast *class_name_ast = ast->child[0];
zend_string *class_name = zend_ast_get_str(class_name_ast);

Expand All @@ -792,6 +786,12 @@ static zend_result ZEND_FASTCALL zend_ast_evaluate_ex(zval *result, zend_ast *as
}

zend_class_entry *ce = zend_lookup_class(class_name);
if (!ce) {
/* Class may not be available when resolving constants on a dynamically
* declared enum during preloading. */
ZEND_ASSERT(CG(compiler_options) & ZEND_COMPILE_PRELOAD);
return FAILURE;
}
zend_enum_new(result, ce, case_name, case_value_ast != NULL ? &case_value_zv : NULL);
zval_ptr_dtor_nogc(&case_value_zv);
break;
Expand Down
19 changes: 16 additions & 3 deletions ext/opcache/ZendAccelerator.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3755,6 +3755,19 @@ static zend_result preload_resolve_deps(preload_error *error, const zend_class_e
return SUCCESS;
}

static zend_result preload_update_constant(zval *val, zend_class_entry *scope)
{
zval tmp;
ZVAL_COPY(&tmp, val);
if (zval_update_constant_ex(&tmp, scope) == FAILURE || Z_COLLECTABLE(tmp)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see why all COLLECTABLE values can't be resolved.
This disables resolution of all constants which values are arrays.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Too conservative maybe yes, an alternative is looping (recursively) over the array and checking if they contain objects.

zval_ptr_dtor(&tmp);
return FAILURE;
}
zval_ptr_dtor_nogc(val);
ZVAL_COPY_VALUE(val, &tmp);
return SUCCESS;
}

static bool preload_try_resolve_constants(zend_class_entry *ce)
{
bool ok, changed, was_changed = false;
Expand All @@ -3768,7 +3781,7 @@ static bool preload_try_resolve_constants(zend_class_entry *ce)
ZEND_HASH_MAP_FOREACH_PTR(&ce->constants_table, c) {
val = &c->value;
if (Z_TYPE_P(val) == IS_CONSTANT_AST) {
if (EXPECTED(zval_update_constant_ex(val, c->ce) == SUCCESS)) {
if (EXPECTED(preload_update_constant(val, c->ce) == SUCCESS)) {
was_changed = changed = true;
} else {
ok = false;
Expand All @@ -3786,7 +3799,7 @@ static bool preload_try_resolve_constants(zend_class_entry *ce)
val = &ce->default_properties_table[i];
if (Z_TYPE_P(val) == IS_CONSTANT_AST) {
zend_property_info *prop = ce->properties_info_table[i];
if (UNEXPECTED(zval_update_constant_ex(val, prop->ce) != SUCCESS)) {
if (UNEXPECTED(preload_update_constant(val, prop->ce) != SUCCESS)) {
resolved = ok = false;
}
}
Expand All @@ -3802,7 +3815,7 @@ static bool preload_try_resolve_constants(zend_class_entry *ce)
val = ce->default_static_members_table + ce->default_static_members_count - 1;
while (count) {
if (Z_TYPE_P(val) == IS_CONSTANT_AST) {
if (UNEXPECTED(zval_update_constant_ex(val, ce) != SUCCESS)) {
if (UNEXPECTED(preload_update_constant(val, ce) != SUCCESS)) {
resolved = ok = false;
}
}
Expand Down
21 changes: 21 additions & 0 deletions ext/zend_test/tests/gh13970.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
--TEST--
GH-13970 (Incorrect validation of #[\Attribute]’s first parameter)
--EXTENSIONS--
zend_test
--FILE--
<?php
#[Attribute(\ZendTestUnitEnum::Foo)]
class Foo {

}

#[Foo]
function test1() {

}

$reflection = new ReflectionFunction('test1');
var_dump($reflection->getAttributes()[0]->newInstance());
?>
--EXPECTF--
Fatal error: Attribute::__construct(): Argument #1 ($flags) must be of type int, ZendTestUnitEnum given in %s on line %d
Loading