ext/zip: Make ZipArchive non-serializable

k2gl · k2gl · commit 5f927a303b4d · 2026-06-06T00:12:18.000+05:00
A ZipArchive wraps a libzip resource that cannot survive serialization, so unserialize() silently produced a broken object (numFiles = 0) instead of erroring. Mark the class as not-serializable, consistent with Socket, CurlHandle and the Dba classes. Fixes GH-21682
diff --git a/NEWS b/NEWS
@@ -266,6 +266,8 @@ PHP                                                                        NEWS
     (kocsismate)
 
 - Zip:
+  . Fixed bug GH-21682 (ZipArchive must not be serializable).
+    (Nickolay Harin)
   . Fixed ZipArchive callback being called after executor has shut down.
     (ilutov)
   . Support minimum version for libzip dependency updated to 1.0.0.
diff --git a/ext/zip/php_zip.stub.php b/ext/zip/php_zip.stub.php
@@ -64,6 +64,9 @@ function zip_entry_filesize($zip_entry): int|false {}
 #[\Deprecated(since: '8.0', message: 'use ZipArchive::statIndex() instead')]
 function zip_entry_compressionmethod($zip_entry): string|false {}
 
+/**
+ * @not-serializable
+ */
 class ZipArchive implements Countable
 {
     /**
diff --git a/ext/zip/php_zip_arginfo.h b/ext/zip/php_zip_arginfo.h
diff --git a/ext/zip/tests/gh21682.phpt b/ext/zip/tests/gh21682.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-21682 (ZipArchive must not be serializable)
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+try {
+    serialize(new ZipArchive());
+} catch (\Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Serialization of 'ZipArchive' is not allowed

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,9 @@ function zip_entry_filesize($zip_entry): int\|false {}`
`64`	`64`	`#[\Deprecated(since: '8.0', message: 'use ZipArchive::statIndex() instead')]`
`65`	`65`	`function zip_entry_compressionmethod($zip_entry): string\|false {}`
`66`	`66`
	`67`	`+/**`
	`68`	`+ * @not-serializable`
	`69`	`+ */`
`67`	`70`	`class ZipArchive implements Countable`
`68`	`71`	`{`
`69`	`72`	`/**`