Unserialize whitelist

docs/book/adapter.md

@@ -16,7 +16,12 @@ The `Zend\Serializer\Adapter\PhpSerialize` adapter uses the built-in
 [serialize()](http://php.net/serialize)/[unserialize()](http://php.net/unserialize)
 functions, and is a good default adapter choice.
 
-There are no configurable options for this adapter.
+Available options include:
+
+Option                      | Data Type         | Default Value | Description
+--------------------------- | ----------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------
+unserialize_class_whitelist | `array` or `bool` | `true`        | The allowed classes for unserialize(), see [unserialize()](http://php.net/unserialize) for more information. Only available on PHP 7.0 or higher.
+
 
 ## The IgBinary Adapter
 

src/Adapter/PhpSerialize.php

@@ -21,8 +21,15 @@ class PhpSerialize extends AbstractAdapter
      */
     private static $serializedFalse = null;
 
+    /**
+     * @var PhpSerializeOptions
+     */
+    protected $options;
+
     /**
      * Constructor
+     *
+     * @param  array|\Traversable|PhpSerializeOptions|null $options
      */
     public function __construct($options = null)
     {
@@ -35,6 +42,36 @@ public function __construct($options = null)
         parent::__construct($options);
     }
 
+    /**
+     * Set options
+     *
+     * @param  array|\Traversable|PhpSerializeOptions $options
+     * @return PhpSerialize
+     */
+    public function setOptions($options)
+    {
+        if (! $options instanceof PhpSerializeOptions) {
+            $options = new PhpSerializeOptions($options);
+        }
+
+        $this->options = $options;
+        return $this;
+    }
+
+    /**
+     * Get options
+     *
+     * @return PhpSerializeOptions
+     */
+    public function getOptions()
+    {
+        if ($this->options === null) {
+            $this->options = new PhpSerializeOptions();
+        }
+
+        return $this->options;
+    }
+
     /**
      * Serialize using serialize()
      *
@@ -85,7 +122,14 @@ public function unserialize($serialized)
         }
 
         ErrorHandler::start(E_NOTICE);
-        $ret = unserialize($serialized);
+
+        if (PHP_MAJOR_VERSION >= 7) {
+            // the second parameter is only available on PHP 7.0 or higher
+            $ret = unserialize($serialized, ['allowed_classes' => $this->getOptions()->getUnserializeClassWhitelist()]);
+        } else {
+            $ret = unserialize($serialized);
+        }
+
         $err = ErrorHandler::stop();
         if ($ret === false) {
             throw new Exception\RuntimeException('Unserialization failed', 0, $err);

src/Adapter/PhpSerializeOptions.php

@@ -0,0 +1,52 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ */
+
+namespace Zend\Serializer\Adapter;
+
+use Zend\Json\Json as ZendJson;
+use Zend\Serializer\Exception;
+
+class PhpSerializeOptions extends AdapterOptions
+{
+    /**
+     * The list of allowed classes for unserialization (PHP 7.0+)
+     * Possible values:
+     * Array of class names that are allowed to be unserialized
+     * or true if all classes should be allowed (behavior of pre PHP 7.0)
+     * or false if no classes should be allowed
+     *
+     * @var array|bool
+     */
+    protected $unserializeClassWhitelist = true;
+
+    /**
+     * @param  array|bool $unserializeClassWhitelist
+     *
+     * @return PhpSerializeOptions
+     */
+    public function setUnserializeClassWhitelist($unserializeClassWhitelist)
+    {
+        if (($unserializeClassWhitelist !== true) && (PHP_MAJOR_VERSION < 7)) {
+            throw new Exception\InvalidArgumentException(
+                'Class whitelist for unserialize() is only available on PHP 7.0 or higher.'
+            );
+        }
+
+        $this->unserializeClassWhitelist = $unserializeClassWhitelist;
+        return $this;
+    }
+
+    /**
+     * @return array|bool
+     */
+    public function getUnserializeClassWhitelist()
+    {
+        return $this->unserializeClassWhitelist;
+    }
+}

test/Adapter/PhpSerializeTest.php

@@ -165,4 +165,49 @@ public function testUnserializingInvalidStringRaisesException($string, $expected
         $this->expectExceptionMessage($expected);
         $this->adapter->unserialize($string);
     }
+
+    public function testUnserializeNoWhitelistedClasses()
+    {
+        $value = 'O:8:"stdClass":0:{}';
+
+        $this->adapter->getOptions()->setUnserializeClassWhitelist(false);
+
+        $data = $this->adapter->unserialize($value);
+
+        if (PHP_MAJOR_VERSION >= 7) {
+            $this->assertNotInstanceOf(\stdClass::class, $data);
+            $this->assertInstanceOf('__PHP_Incomplete_Class', $data);
+        } else {
+            // Pre PHP 7.0 the whitelist should have no effect
+            $this->assertInstanceOf(\stdClass::class, $data);
+        }
+    }
+
+    public function testUnserializeClassNotAllowed()
+    {
+        $value = 'O:8:"stdClass":0:{}';
+
+        $this->adapter->getOptions()->setUnserializeClassWhitelist([\My\Dummy::class]);
+
+        $data = $this->adapter->unserialize($value);
+
+        if (PHP_MAJOR_VERSION >= 7) {
+            $this->assertNotInstanceOf(\stdClass::class, $data);
+            $this->assertInstanceOf('__PHP_Incomplete_Class', $data);
+        } else {
+            // Pre PHP 7.0 the whitelist should have no effect
+            $this->assertInstanceOf(\stdClass::class, $data);
+        }
+    }
+
+    public function testUnserializeClassAllowed()
+    {
+        $value = 'O:8:"stdClass":0:{}';
+
+        $this->adapter->getOptions()->setUnserializeClassWhitelist([\stdClass::class]);
+
+        $data = $this->adapter->unserialize($value);
+        $this->assertInstanceOf(\stdClass::class, $data);
+        $this->assertNotInstanceOf('__PHP_Incomplete_Class', $data);
+    }
 }