Fix GH-21682: ZipArchive is missing the NOT_SERIALIZABLE flag

iliaal · iliaal · commit 9090afdce114 · 2026-04-09T15:04:30.000-04:00
ZipArchive allowed serialization, producing a string that unserializes into an empty object with no open file handle. Add the @not-serializable annotation so serialize() throws an exception. Closes GH-21682
diff --git a/ext/zip/php_zip.stub.php b/ext/zip/php_zip.stub.php
@@ -64,6 +64,7 @@ function zip_entry_filesize($zip_entry): int|false {}
 #[\Deprecated(since: '8.0', message: 'use ZipArchive::statIndex() instead')]
 function zip_entry_compressionmethod($zip_entry): string|false {}
 
+/** @not-serializable */
 class ZipArchive implements Countable
 {
     /**
diff --git a/ext/zip/php_zip_arginfo.h b/ext/zip/php_zip_arginfo.h
diff --git a/ext/zip/tests/gh21682.phpt b/ext/zip/tests/gh21682.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-21682 (ZipArchive is missing the NOT_SERIALIZABLE flag)
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+$a = new ZipArchive();
+try {
+    serialize($a);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Serialization of 'ZipArchive' is not allowed

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,7 @@ function zip_entry_filesize($zip_entry): int\|false {}`
`64`	`64`	`#[\Deprecated(since: '8.0', message: 'use ZipArchive::statIndex() instead')]`
`65`	`65`	`function zip_entry_compressionmethod($zip_entry): string\|false {}`
`66`	`66`
	`67`	`+/** @not-serializable */`
`67`	`68`	`class ZipArchive implements Countable`
`68`	`69`	`{`
`69`	`70`	`/**`